Security experts say all of the incidents appear to have involved attackers using SSH credentials stolen from legitimate users. Attackers used two pieces of malware, a cryptomining-malware loader called “fonts” and a log-cleaning file called “low,” both were placed in the /etc/fonts directory. The first series of attacks reported by EGI members traces to a malicious group that has been hitting HPC labs in Canada and the United States, as well as China and Europe.”]
Source: https://www.cuinfosecurity.com/supercomputer-intrusions-trace-to-cryptocurrency-miners-a-14296