Cryptomining hacks aren’t new by any stretch, but a string of recent incidents is raising eyebrows. ZDNet reports that culprits infected multiple European supercomputers with Monero mining malware in the past week, including the University of Edinburgh’s ARCHER, five of bwHPC’s computer clusters and most recently a cluster at Munich’s Ludwig-Maximilians University. That’s unusual by itself, but there appears to be a common thread between the hacks.
Cado Security has determined that the attacks were conducted using compromised SSH (secure shell) logins from universities in Canada, China and Poland, using similar malware file names, the same vulnerability and shared technical indicators. That suggests they might be the work of the same bad actor. In the case of ARCHER, the attacks appear to have come from Chinese IP addresses.