Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/15/2020
04:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

UK Supercomputing Service ARCHER Still Offline After Monday Attack

Incident comes amid US warnings about Chinese cybergroups targeting organizations involved in COVID-19-related research.

Security and IT administrators at ARCHER, the UK's national supercomputing service, are still working on restoring services more than four days after cyberattackers forced it offline.

The Monday afternoon incident came amid US accusations of agents believed to be working on behalf of the Chinese government attacking systems and networks belonging to academic, pharmaceutical, and healthcare organizations involved in COVID-19 research.

Earlier this month, the UK's National Cyber Security Centre (NCSC) had issued a similar warning about advanced persistent threat groups targeting COVID-19-related research efforts, but it stopped short of naming China as the party behind the attacks.

A statement on the ARCHER website Friday noted that staffers are working on diagnosing the attack and understanding its full scope. All existing ARCHER passwords and SSH keys for secure authentication are being changed and are no longer valid, the statement said.

When service eventually resumes, all users will be required to use two-factor authentication — comprised of a password and an SSH key with passphrase — to access it.

"It is imperative that you do not reuse a previously used password or SSH key with a passphrase," ARCHER said.

ARCHER provides supercomputing services to academic researchers and industrial users who need to run large calculations and simulations such as those involved in modeling the COVID-19 outbreak. ARCHER services are available to researchers in the UK and other countries. Its core hardware comprises a Cray XC30 massively parallel supercomputer with 111,080 Intel Ivy Bridge processing cores. The original Archer service launched in Nov. 13 and is currently being transitioned over to a new 28 petaflops Cray supercomputer with 748,544 AMD cores.

ARCHER first disclosed the intrusion on Monday, May 11. It described the incident as involving an exploit on ARCHER login nodes and pulled the service offline. It has been investigating the incident since then. On Wednesday ARCHER said the intrusion on its systems appears to have been part of a broader campaign that had impacted systems across the academic community in the UK and across Europe. The supercomputing center is scheduled to provide its next update on the situation Monday.

Chris Morales, head of security analytics at Vectra, says the relatively extended downtime at ARCHER is likely precautionary in nature and tied to the need to reissue keys and passwords to all researchers.  

"Invalidating all remote sessions and reissuing keys and passwords on a remote terminal is the equivalent of performing a reboot on a local PC," he says.

Attacks Targeting COVID-19 Research
At the moment there is no public evidence that the intrusion was targeted in nature. But it is likely tied to the broader targeting of biomedical and pharmaceutical research related to a cure for COVID-19, Morales says.

"The cure for COVID might be the most valuable thing in the world right now," he says. "And, unfortunately, where there is value, there is crime.”

In a public service announcement this week, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) said they were investigating reports of cyber compromise and targeting at US organizations conducting research on COVID-19. They described the attacks as involving cyber actors and "non-traditional collectors" working on behalf of the People's Republic of China.

The FBI and CISA warned organizations involved in COVID-19-related research to be on the lookout for targeted cyberattacks and urged them to patch critical vulnerabilities on Internet-facing systems and software. They also urged organizations to scan Web applications for unauthorized access and signs of anomalous activity and to require multifactor authentication for access.

Terence Jackson, CISO at Thycotic, says ARCHER did not appear to use strong authentication prior to the incident. It is more important than ever for companies to enforce multifactor authentication and implement other measures to prevent credential abuse, he says.

"Attackers have doubled down during the Covid-19 pandemic, and we must close easy gaps," Jackson says.

Related Content:

 

 

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
 

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
gygeegin
50%
50%
gygeegin,
User Rank: Apprentice
5/17/2020 | 9:47:23 PM
thank you!
Thank you for sharing a good information.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.