Security and IT administrators at ARCHER, the UK's national supercomputing service, are still working on restoring services more than four days after cyberattackers forced it offline.
The Monday afternoon incident came amid US accusations of agents believed to be working on behalf of the Chinese government attacking systems and networks belonging to academic, pharmaceutical, and healthcare organizations involved in COVID-19 research.
Earlier this month, the UK's National Cyber Security Centre (NCSC) had issued a similar warning about advanced persistent threat groups targeting COVID-19-related research efforts, but it stopped short of naming China as the party behind the attacks.
A statement on the ARCHER website Friday noted that staffers are working on diagnosing the attack and understanding its full scope. All existing ARCHER passwords and SSH keys for secure authentication are being changed and are no longer valid, the statement said.
When service eventually resumes, all users will be required to use two-factor authentication — comprised of a password and an SSH key with passphrase — to access it.
"It is imperative that you do not reuse a previously used password or SSH key with a passphrase," ARCHER said.
ARCHER provides supercomputing services to academic researchers and industrial users who need to run large calculations and simulations such as those involved in modeling the COVID-19 outbreak. ARCHER services are available to researchers in the UK and other countries. Its core hardware comprises a Cray XC30 massively parallel supercomputer with 111,080 Intel Ivy Bridge processing cores. The original Archer service launched in Nov. 13 and is currently being transitioned over to a new 28 petaflops Cray supercomputer with 748,544 AMD cores.
ARCHER first disclosed the intrusion on Monday, May 11. It described the incident as involving an exploit on ARCHER login nodes and pulled the service offline. It has been investigating the incident since then. On Wednesday ARCHER said the intrusion on its systems appears to have been part of a broader campaign that had impacted systems across the academic community in the UK and across Europe. The supercomputing center is scheduled to provide its next update on the situation Monday.
Chris Morales, head of security analytics at Vectra, says the relatively extended downtime at ARCHER is likely precautionary in nature and tied to the need to reissue keys and passwords to all researchers.
"Invalidating all remote sessions and reissuing keys and passwords on a remote terminal is the equivalent of performing a reboot on a local PC," he says.
Attacks Targeting COVID-19 Research
At the moment there is no public evidence that the intrusion was targeted in nature. But it is likely tied to the broader targeting of biomedical and pharmaceutical research related to a cure for COVID-19, Morales says.
"The cure for COVID might be the most valuable thing in the world right now," he says. "And, unfortunately, where there is value, there is crime.”
In a public service announcement this week, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) said they were investigating reports of cyber compromise and targeting at US organizations conducting research on COVID-19. They described the attacks as involving cyber actors and "non-traditional collectors" working on behalf of the People's Republic of China.
The FBI and CISA warned organizations involved in COVID-19-related research to be on the lookout for targeted cyberattacks and urged them to patch critical vulnerabilities on Internet-facing systems and software. They also urged organizations to scan Web applications for unauthorized access and signs of anomalous activity and to require multifactor authentication for access.
Terence Jackson, CISO at Thycotic, says ARCHER did not appear to use strong authentication prior to the incident. It is more important than ever for companies to enforce multifactor authentication and implement other measures to prevent credential abuse, he says.
"Attackers have doubled down during the Covid-19 pandemic, and we must close easy gaps," Jackson says.
- COVID-19: Latest Security News & Commentary
- China-Based Cyber Espionage Group Targeting Orgs in 10 Countries
- Cyber Theft, Humint Helped China Cut Corners on Passenger Jet
- Public Exposure Does Little to Slow China-Based Thrip APT
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.