The credentials appear to have been stolen from university members given access to the supercomputers to run computing jobs. The hijacked SSH logins belonged to universities in Canada, China, and Poland.
...
According to Doman's analysis, once attackers gained access to a supercomputing node, they appear to have used an exploit for the CVE-2019-15666 vulnerability to gain root access and then deployed an application that mined the Monero (XMR) cryptocurrency.
European supercomputers hacked to mine Monero
Posted on Monday, May 18 2020 @ 11:02 CEST by Thomas De Maesschalck
ZD Net reports multiple European supercomputers have been temporarily shut down after the discovery of security breaches. The report discusses security incidents in the UK, Germany, and Switzerland, as well as a possible case in Spain. It appears attackers have managed to hijack SSH logins. Once they gained access to the computing node, they exploited a Linux kernel vulnerability (CVE-2019-15666) to gain root access to deploy a Monero cryptocurrency miner: