Supercomputers offline across Europe

SuperMUC-NG

SuperMUC-NG at the LRZ - Photo: V. Hohenegger for LRZ

The high-performance computers at the LRZ still run jobs, but are so far not accessible from the network (as of 01.06.2020): Hackers had gained access to the systems, so LRZ took off the machines temporarily in mid-May. Online access to the systems should be possible again in the next few days but with restrictions in place. Not only the LRZ is affected, other supercomputers in Germany and Europe also report similar attacks. In the meantime, the Bavarian State Office of Criminal Investigation and the General Prosecutor's Office are investigating. Professor Dieter Kranzlmüller, director of the LRZ, on the current state of affairs.

DieterKranzlmüllerIn mid-May it became known that several supercomputers were hacked. The LRZ is also affected. What happened?
Prof. Dieter Kranzlmüller: Someone has penetrated our systems and manipulated them. Therefore, we immediately took the affected systems offline and informed the users that the computers were still working, but the results could no longer be accessed online. We are currently combing the systems for inconsistencies. The General Prosecutor's Office Cybercrime Bavaria (ZCB) and the Bavarian State Office of Criminal Investigation with its Cybercrime Section have started investigations and are supported by a team of five colleagues from the LRZ.

The LRZ is not the only compute centre that has been hacked?
Kranzlmüller: And also, not the first one. In the meantime, it is known that HPC systems all over Europe have been compromised. Open science, as we support it at the LRZ, also benefits from the worldwide cooperation of the best experts. In this case this has unfortunately turned out to be disastrous. Apparently, hackers have hijacked user accounts and were thus able to jump from local computers to the supercomputer, and then on from centre to centre. We are therefore in close contact with our two partners in the national Gauss Centre for Supercomputing (GCS), with the centres of the Gauß Allianz and, at European level, our PRACE partners, in order to gather information and to support the police in determining how the systems could be accessed and for what purpose.

Allegedly, the hackers were after research results around Corona or they wanted to use the resources of the supercomputers to mine crypto currencies. Which is it?
Kranzlmüller: These are all mere theories that we cannot exclude but cannot confirm either. Personally, I can't imagine that the Corona research was the target of the hacks. First of all, there were no major corona projects here at the beginning of the year when the first hacks were observed. In addition, the algorithms and data used by the researchers are so special that they are rather difficult to use for uninvolved third parties. Plus, these kinds of results are always published scientifically anyway. The Computer Security and Incident Response Team of the EGI, the European Grid Infrastructure, wants to know that some supercomputers have been infected with malware from crypto-currencies in order to harness the supercomputers for mining. But even this is merely a hypothesis that has not yet been proven. Our systems are constantly monitored - we would notice immediately if, for example, the power consumption suddenly increased or if large amounts of data are transferred out at once without prior consultation with the respective scientists.

Where did the attacks come from - the FBI concludes China.
Kranzlmüller: There is no evidence to support this either, and we would hold back on such suspicions.

How long will the systems at the LRZ remain offline and what has to happen to get them working normally again?
Kranzlmüller: We decide this after consultation with the investigating authorities and with our GCS partners. It is planned to bring the systems back online within the next few days - but with restrictions: To be on the safe side, the systems are only accessible to users from 8 a.m. to 6 p.m. so we can perform our increased monitoring functions. All users will also need new passwords and keys. Unfortunately, we will probably have to maintain these further safety measures for the time being, even if they restrict the openness our scientific partners are used to.
We hope that we can quickly get into regular operation, for which the machines must be reinstalled and ramped up step by step. It annoys and depresses me that science is slowed down by these attacks and that some projects are unnecessarily delayed as a result. We as a society are dependent on science and the gain of knowledge.

How secure are supercomputers in general against attacks?
Kranzlmüller: We were aware that such attacks are always possible. There can never be a such a thing as a 100 percent secure system. But if we are open about such attacks, we can learn a lot from them and become even better. It is also helpful that we have had many processes in place due to our IT service and IT security management protocols, which now make troubleshooting easier and which we can further refine and optimize analysing the attacks. The situation is similar with the current corona pandemic. We also had plans in place for such situations, but only now we are able to verify them in practice.

Read on:

https://csirt.egi.eu/2020/05/18/security-incidents-on-multiple-hpc-sites/
https://www.egi.eu/
https://www.sueddeutsche.de/digital/supercomputer-hacker-garching-corona-1.4909397
https://www.theregister.co.uk/2020/05/13/uk_archer_supercomputer_cyberattack/
https://www.heise.de/security/meldung/Mehrere-Hochleistungsrechenzentren-in-Europa-angegriffen-4721393.html
https://www.heise.de/security/meldung/Angriffe-auf-Hochleistungsrechner-Waren-es-Krypto-Miner-4722488.html