Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/15/2020
04:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

UK Supercomputing Service ARCHER Still Offline After Monday Attack

Incident comes amid US warnings about Chinese cybergroups targeting organizations involved in COVID-19-related research.

Security and IT administrators at ARCHER, the UK's national supercomputing service, are still working on restoring services more than four days after cyberattackers forced it offline.

The Monday afternoon incident came amid US accusations of agents believed to be working on behalf of the Chinese government attacking systems and networks belonging to academic, pharmaceutical, and healthcare organizations involved in COVID-19 research.

Earlier this month, the UK's National Cyber Security Centre (NCSC) had issued a similar warning about advanced persistent threat groups targeting COVID-19-related research efforts, but it stopped short of naming China as the party behind the attacks.

A statement on the ARCHER website Friday noted that staffers are working on diagnosing the attack and understanding its full scope. All existing ARCHER passwords and SSH keys for secure authentication are being changed and are no longer valid, the statement said.

When service eventually resumes, all users will be required to use two-factor authentication — comprised of a password and an SSH key with passphrase — to access it.

"It is imperative that you do not reuse a previously used password or SSH key with a passphrase," ARCHER said.

ARCHER provides supercomputing services to academic researchers and industrial users who need to run large calculations and simulations such as those involved in modeling the COVID-19 outbreak. ARCHER services are available to researchers in the UK and other countries. Its core hardware comprises a Cray XC30 massively parallel supercomputer with 111,080 Intel Ivy Bridge processing cores. The original Archer service launched in Nov. 13 and is currently being transitioned over to a new 28 petaflops Cray supercomputer with 748,544 AMD cores.

ARCHER first disclosed the intrusion on Monday, May 11. It described the incident as involving an exploit on ARCHER login nodes and pulled the service offline. It has been investigating the incident since then. On Wednesday ARCHER said the intrusion on its systems appears to have been part of a broader campaign that had impacted systems across the academic community in the UK and across Europe. The supercomputing center is scheduled to provide its next update on the situation Monday.

Chris Morales, head of security analytics at Vectra, says the relatively extended downtime at ARCHER is likely precautionary in nature and tied to the need to reissue keys and passwords to all researchers.  

"Invalidating all remote sessions and reissuing keys and passwords on a remote terminal is the equivalent of performing a reboot on a local PC," he says.

Attacks Targeting COVID-19 Research
At the moment there is no public evidence that the intrusion was targeted in nature. But it is likely tied to the broader targeting of biomedical and pharmaceutical research related to a cure for COVID-19, Morales says.

"The cure for COVID might be the most valuable thing in the world right now," he says. "And, unfortunately, where there is value, there is crime.”

In a public service announcement this week, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) said they were investigating reports of cyber compromise and targeting at US organizations conducting research on COVID-19. They described the attacks as involving cyber actors and "non-traditional collectors" working on behalf of the People's Republic of China.

The FBI and CISA warned organizations involved in COVID-19-related research to be on the lookout for targeted cyberattacks and urged them to patch critical vulnerabilities on Internet-facing systems and software. They also urged organizations to scan Web applications for unauthorized access and signs of anomalous activity and to require multifactor authentication for access.

Terence Jackson, CISO at Thycotic, says ARCHER did not appear to use strong authentication prior to the incident. It is more important than ever for companies to enforce multifactor authentication and implement other measures to prevent credential abuse, he says.

"Attackers have doubled down during the Covid-19 pandemic, and we must close easy gaps," Jackson says.

Related Content:

 

 

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
 

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
gygeegin
50%
50%
gygeegin,
User Rank: Apprentice
5/17/2020 | 9:47:23 PM
thank you!
Thank you for sharing a good information.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25250
PUBLISHED: 2021-04-13
An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a sensitive file could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privil...
CVE-2021-25253
PUBLISHED: 2021-04-13
An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a resource used by the service could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to exec...
CVE-2021-28645
PUBLISHED: 2021-04-13
An incorrect permission assignment vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target ...
CVE-2021-28646
PUBLISHED: 2021-04-13
An insecure file permissions vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to take control of a specific log file on affected installations.
CVE-2021-28647
PUBLISHED: 2021-04-13
Trend Micro Password Manager version 5 (Consumer) is vulnerable to a DLL Hijacking vulnerability which could allow an attacker to inject a malicious DLL file during the installation progress and could execute a malicious program each time a user installs a program.