Danger zone! Brit research supercomputer ARCHER hit with SSH-nixing cyber attack

One of Britain’s most powerful academic supercomputers has fallen victim to a “security exploitation” of its login nodes, forcing the rewriting of all user passwords and SSH keys.

The incident, which is understood to be under investigation by GCHQ offshoot the National Cyber Security Centre (NCSC), rendered the ARCHER high-performance computing (HPC) network unavailable to its users on Tuesday.

Sysadmins warned ARCHER users that their SSH keys may have been compromised as a result of the apparent attack, advising them to “change passwords and SSH keys on any other systems which you share your ARCHER credentials with”.

In a statement posted to the project’s status page, ARCHER admins said the apparent attack had seen several academic high-performance computers disrupted across Europe in addition to ARCHER. They added that: “Jobs that are currently running or queued will continue to run, but you will be unable to log in or to submit new jobs.”

We now believe this to be a major issue across the academic community as several computers have been compromised in the UK and elsewhere in Europe. We have been working with the National Cyber Security Centre (NCSC) and Cray/HPE in order to better understand the position and plan effective remedies.

Knowledgeable sources speculated to The Register that ARCHER is an obvious resource for research work by computational biologists as well as those modelling the potential further spread of the novel coronavirus – and is therefore a target for hostile states looking to steal advances from British research into the virus, or to simply disrupt it.

American authorities are reportedly set to publicly blame China and Iran for trying to hack research institutions trying to develop a vaccine, according to an unsourced claim made in the New York Times newspaper. This appears to be linked to understated – and unspecific – warnings from NCSC earlier this month about advanced persistent threat (APT) hacker crews targeting counter-COVID-19 research.

Hosted by the University of Edinburgh, ARCHER is a Cray XC30 supercomputer with 118,080 Intel Xeon E5 CPU cores at its disposal. It was due to be retired and replaced this month, though the global pandemic has delayed its planned withdrawal and replacement. El Reg reported on ARCHER2 when it was confirmed in October 2019.

ARCHER is one of the most powerful supercomputers in the UK, although it is outclassed by the UK’s most powerful publicly known super, an eight-petaFLOPS 241,920-core Cray-Intel machine operated by the Meteorological Office as well as the European Centre for Medium-Range Weather Forecasts’s two Cray XC-40s, the Atomic Weapons Establishment’s in-house supercomputer and others. It is ranked 334th on the TOP500 list of the world’s most powerful supercomputers.

The latest updates on the ARCHER status page said: “Unfortunately, due to the severity of the situation, the ARCHER Service will not be returned before Friday 15th May. We will review the situation with UKRI and NCSC on Friday and will then provide a further update to you.”

Professor Alan Woodward of the University of Surrey told The Register: “To see a Cray being attacked is very unusual so I imagine it must be the computing infrastructure around it that has been attacked. Most users obviously don’t sit at a terminal directly attached to the supercomputers, so if the means for remote access is rendered inoperable it means the supercomputers become just an expensive lump of metal and silicon.

“Looks like someone has somehow managed to gain a secure shell on an access node. Assuming that’s true, it’s going to be a real pain as you’ll have to set everyone up again.”

An NCSC spokesman told The Register: “We are aware of this incident and are providing support. The NCSC works with the academic sector to help them improve their security practices and protect its institutions from threats.”

Cray, ARCHER’s operators, and counter-coronavirus research teams have been asked if they wish to comment. We will update this article as and when they respond. ®

Sponsored: Practical tips for Office 365 tenant-to-tenant migration