Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/15/2020
04:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

UK Supercomputing Service ARCHER Still Offline After Monday Attack

Incident comes amid US warnings about Chinese cybergroups targeting organizations involved in COVID-19-related research.

Security and IT administrators at ARCHER, the UK's national supercomputing service, are still working on restoring services more than four days after cyberattackers forced it offline.

The Monday afternoon incident came amid US accusations of agents believed to be working on behalf of the Chinese government attacking systems and networks belonging to academic, pharmaceutical, and healthcare organizations involved in COVID-19 research.

Earlier this month, the UK's National Cyber Security Centre (NCSC) had issued a similar warning about advanced persistent threat groups targeting COVID-19-related research efforts, but it stopped short of naming China as the party behind the attacks.

A statement on the ARCHER website Friday noted that staffers are working on diagnosing the attack and understanding its full scope. All existing ARCHER passwords and SSH keys for secure authentication are being changed and are no longer valid, the statement said.

When service eventually resumes, all users will be required to use two-factor authentication — comprised of a password and an SSH key with passphrase — to access it.

"It is imperative that you do not reuse a previously used password or SSH key with a passphrase," ARCHER said.

ARCHER provides supercomputing services to academic researchers and industrial users who need to run large calculations and simulations such as those involved in modeling the COVID-19 outbreak. ARCHER services are available to researchers in the UK and other countries. Its core hardware comprises a Cray XC30 massively parallel supercomputer with 111,080 Intel Ivy Bridge processing cores. The original Archer service launched in Nov. 13 and is currently being transitioned over to a new 28 petaflops Cray supercomputer with 748,544 AMD cores.

ARCHER first disclosed the intrusion on Monday, May 11. It described the incident as involving an exploit on ARCHER login nodes and pulled the service offline. It has been investigating the incident since then. On Wednesday ARCHER said the intrusion on its systems appears to have been part of a broader campaign that had impacted systems across the academic community in the UK and across Europe. The supercomputing center is scheduled to provide its next update on the situation Monday.

Chris Morales, head of security analytics at Vectra, says the relatively extended downtime at ARCHER is likely precautionary in nature and tied to the need to reissue keys and passwords to all researchers.  

"Invalidating all remote sessions and reissuing keys and passwords on a remote terminal is the equivalent of performing a reboot on a local PC," he says.

Attacks Targeting COVID-19 Research
At the moment there is no public evidence that the intrusion was targeted in nature. But it is likely tied to the broader targeting of biomedical and pharmaceutical research related to a cure for COVID-19, Morales says.

"The cure for COVID might be the most valuable thing in the world right now," he says. "And, unfortunately, where there is value, there is crime.”

In a public service announcement this week, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) said they were investigating reports of cyber compromise and targeting at US organizations conducting research on COVID-19. They described the attacks as involving cyber actors and "non-traditional collectors" working on behalf of the People's Republic of China.

The FBI and CISA warned organizations involved in COVID-19-related research to be on the lookout for targeted cyberattacks and urged them to patch critical vulnerabilities on Internet-facing systems and software. They also urged organizations to scan Web applications for unauthorized access and signs of anomalous activity and to require multifactor authentication for access.

Terence Jackson, CISO at Thycotic, says ARCHER did not appear to use strong authentication prior to the incident. It is more important than ever for companies to enforce multifactor authentication and implement other measures to prevent credential abuse, he says.

"Attackers have doubled down during the Covid-19 pandemic, and we must close easy gaps," Jackson says.

Related Content:

 

 

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
 

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
gygeegin
50%
50%
gygeegin,
User Rank: Apprentice
5/17/2020 | 9:47:23 PM
thank you!
Thank you for sharing a good information.
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
CVE-2021-21246
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...