Hackers breached South Africa's top supercomputer and used it to mine crypto

Luis

Luis

Journalist
Staff member
Joined
Mar 12, 2026
Messages
336
Reaction score
367
Hackers breached South Africa's top supercomputer and used it to mine crypto

The CSIR’s Centre for High Performance Computing (CHPC) has notified users of a serious security breach on its Lengau compute cluster, with user credentials and private keys likely compromised.

Emails sent to CHPC users stated that the Lengau high-performance computing (HPC) cluster was taken offline after threat actors gained access and infected it with crypto mining malware.
 
NiceHash’s profitability calculator indicated that although the 9 GPU nodes would only earn a modest R51 per day, the 1,368 compute cores could generate thousands of rands in Monero (XMR) per day.
Click to expand...

So they couldn't even have get a pair of Salomons out of it.
 
This is the second time in a week that Lengau was hacked. Users first noticed problems on 25 May 2026, when there were performance issues across the cluster.

“An immediate shutdown of the nodes was performed, and all nodes were re-imaged to its original state before releasing to users again,” the CHPC told users two days after the incident.

“The CHPC is investigating the cause of the suspected compromise and will report further on this once more information is confirmed.”

However, another attack on Saturday, 30 May, forced the CHPC to take the supercomputer offline again. It initially estimated that it would take up to two days to investigate the breach.
Click to expand...
Probably just imaged it back to before the hackers gained through the backdoor and they just did the same thing again
 
ISP cash cow said:
Probably just imaged it back to before the hackers gained through the backdoor and they just did the same thing again
Click to expand...
Ja, they should have taken those images, bought a new computer and restored them to the new one.

Oh wait, that was another department. Let me STFU.

At least they reported the POPIA issue. So all good, tick box exercise done.

😔
 
Can't help but think that incompetence and taking the easy cheaper route play a big part in these breaches
 
Curious to know whether the nodes have direct internet access (inbound or outbound), or whether it is all routed through a control plane. If the latter, it would significantly reduce the scale of an investigation, but I could imagine that there might be a need for high-speed data access from partner sites direct to the nodes.
 
jeevadotnet said:
CHPC was just one of hundreds globally that was compromised.

A scientists SSH key was compromised and then it drifted between institutions which was just one of the cases. Since all of us HPCs run older versions of Ubuntu like Ubuntu 22 LTS, it is still susceptible to a large number of CVE's that nobody is willing to patch. There were also a crazy amount of 0-days and exploitable CVE's the last couple of weeks being pushed into the public.

There was also packages exploited on the scientist jumpbox, with the existing applications being removed and replaced with same software but with actively exploitable versions.

Remember also institutions have like 100 Gbps - 10 Tbps internet breakout, half of the country's bandwidth run through them. What do you think a Firewall of this magnitude will cost? More than the HPC itself, hence pretty much all of them run without firewalls.
Click to expand...
Great insight, thanks!

Feels like a firewall is not required, just a simple packet filter on the existing router would do, but still, applying that to Tbps of traffic would probably significantly increase the load on the router. And of course, if the ssh key for a legit user is compromised, all bets are off anyway.
 
RoganDawes said:
Curious to know whether the nodes have direct internet access (inbound or outbound), or whether it is all routed through a control plane. If the latter, it would significantly reduce the scale of an investigation, but I could imagine that there might be a need for high-speed data access from partner sites direct to the nodes.
Click to expand...
They don't. One or two nodes do. One is definitely "open", the other is direct to DIRISA.
 
jeevadotnet said:
CHPC was just one of hundreds globally that was compromised.

A scientists SSH key was compromised and then it drifted between institutions which was just one of the cases. Since all of us HPCs run older versions of Ubuntu like Ubuntu 22 LTS, it is still susceptible to a large number of CVE's that nobody is willing to patch. There were also a crazy amount of 0-days and exploitable CVE's the last couple of weeks being pushed into the public.

There was also packages exploited on the scientist jumpbox, with the existing applications being removed and replaced with same software but with actively exploitable versions.

Remember also institutions have like 100 Gbps - 10 Tbps internet breakout, half of the country's bandwidth run through them. What do you think a Firewall of this magnitude will cost? More than the HPC itself, hence pretty much all of them run without firewalls.
Click to expand...
You know the CHPC was running Ubuntu? Thought it was CentOS.
What can be done better re. using SSH keys? The knowledge and technical ability of users vary widely.
 
They did not even do the simplest security upgrade of adding an IP filter to the interfaces, and make a whitelist of allowed IP addresses, and get a lot better security for free. But no, had to leave it wide open, because one user could not figure out what their Ip address is despite being given clear step by step instructions.
 
Justanotherguybythesea said:
They did not even do the simplest security upgrade of adding an IP filter to the interfaces, and make a whitelist of allowed IP addresses, and get a lot better security for free. But no, had to leave it wide open, because one user could not figure out what their Ip address is despite being given clear step by step instructions.
Click to expand...
This sounds oddly specific. Care to elaborate?
 
jeevadotnet said:
CHPC was just one of hundreds globally that was compromised.

A scientists SSH key was compromised and then it drifted between institutions which was just one of the cases. Since all of us HPCs run older versions of Ubuntu like Ubuntu 22 LTS, it is still susceptible to a large number of CVE's that nobody is willing to patch. There were also a crazy amount of 0-days and exploitable CVE's the last couple of weeks being pushed into the public.

There was also packages exploited on the scientist jumpbox, with the existing applications being removed and replaced with same software but with actively exploitable versions.

Remember also institutions have like 100 Gbps - 10 Tbps internet breakout, half of the country's bandwidth run through them. What do you think a Firewall of this magnitude will cost? More than the HPC itself, hence pretty much all of them run without firewalls.
Click to expand...
An SSH key being compromised and CVEs have nothing to do with each other.

You can have the single most up to date, stripped down OS imaginable with fully up to date software and it won't matter squat to a compromised key.

This is just shoddy security management. Just rotating the keys would have stopped it.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X