UK Supercomputing Service ARCHER Still Offline After Monday Attack

  /     /     /  
Publicated : 23/11/2024   Category : security


UK Supercomputing Service ARCHER Still Offline After Monday Attack


Incident comes amid US warnings about Chinese cybergroups targeting organizations involved in COVID-19-related research.



Security and IT administrators at ARCHER, the UKs national supercomputing service, are still working on restoring services more than four days after cyberattackers forced it offline.
The Monday afternoon incident came amid US accusations of agents believed to be working on behalf of the Chinese government attacking systems and networks belonging to academic, pharmaceutical, and healthcare organizations involved in COVID-19 research.
Earlier this month, the UKs National Cyber Security Centre (NCSC) had issued a similar warning about advanced persistent threat groups targeting COVID-19-related research efforts, but it stopped short of naming China as the party behind the attacks.
A statement on the ARCHER website Friday noted that staffers are working on diagnosing the attack and understanding its full scope. All existing ARCHER passwords and SSH keys for secure authentication are being changed and are no longer valid, the statement said.
When service eventually resumes, all users will be required to use two-factor authentication — comprised of a password and an SSH key with passphrase — to access it.
It is imperative that you do not reuse a previously used password or SSH key with a passphrase, ARCHER said.
ARCHER provides supercomputing services to academic researchers and industrial users who need to run large calculations and simulations such as those involved in modeling the COVID-19 outbreak. ARCHER services are available to researchers in the UK and other countries. Its core hardware comprises a Cray XC30 massively parallel supercomputer with 111,080 Intel Ivy Bridge processing cores. The original Archer service launched in Nov. 13 and is currently being transitioned over to a new 28 petaflops Cray supercomputer with 748,544 AMD cores.
ARCHER first
disclosed
the intrusion on Monday, May 11. It described the incident as involving an exploit on ARCHER login nodes and pulled the service offline. It has been investigating the incident since then. On Wednesday ARCHER said the intrusion on its systems appears to have been part of a broader campaign that had impacted systems across the academic community in the UK and across Europe. The supercomputing center is scheduled to provide its next update on the situation Monday.
Chris Morales, head of security analytics at Vectra, says the relatively extended downtime at ARCHER is likely precautionary in nature and tied to the need to reissue keys and passwords to all researchers.  
Invalidating all remote sessions and reissuing keys and passwords on a remote terminal is the equivalent of performing a reboot on a local PC, he says.
Attacks Targeting COVID-19 Research
At the moment there is no public evidence that the intrusion was targeted in nature. But it is likely tied to the broader targeting of biomedical and pharmaceutical research related to a cure for COVID-19, Morales says.
The cure for COVID might be the most valuable thing in the world right now, he says. And, unfortunately, where there is value, there is crime.”
In a
public service announcement
 this week, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) said they were investigating reports of cyber compromise and targeting at US organizations conducting research on COVID-19. They described the attacks as involving cyber actors and non-traditional collectors working on behalf of the Peoples Republic of China.
The FBI and CISA warned organizations involved in COVID-19-related research to be on the lookout for targeted cyberattacks and urged them to patch critical vulnerabilities on Internet-facing systems and software. They also urged organizations to scan Web applications for unauthorized access and signs of anomalous activity and to require multifactor authentication for access.
Terence Jackson, CISO at Thycotic, says ARCHER did not appear to use strong authentication prior to the incident. It is more important than ever for companies to enforce multifactor authentication and implement other measures to prevent credential abuse, he says.
Attackers have doubled down during the Covid-19 pandemic, and we must close easy gaps, Jackson says.
Related Content:
COVID-19: Latest Security News & Commentary
China-Based Cyber Espionage Group Targeting Orgs in 10 Countries
Cyber Theft, Humint Helped China Cut Corners on Passenger Jet
Public Exposure Does Little to Slow China-Based Thrip APT
 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that really  bad day in cybersecurity. Click for 
more information and to register

 
A listing of 
free products and services
 compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
UK Supercomputing Service ARCHER Still Offline After Monday Attack