Skip to content
Border Gateway Protocol attack

Suspicious event hijacks Amazon traffic for 2 hours, steals cryptocurrency

Almost 1,300 addresses for Amazon Route 53 rerouted for two hours.

Dan Goodin | 125
Credit: Amazon
Credit: Amazon
Story text

Amazon lost control of a small number of its cloud services IP addresses for two hours on Tuesday morning when hackers exploited a known Internet-protocol weakness that let them to redirect traffic to rogue destinations. By subverting Amazon's domain-resolution service, the attackers masqueraded as cryptocurrency website MyEtherWallet.com and stole about $150,000 in digital coins from unwitting end users. They may have targeted other Amazon customers as well.

The incident, which started around 6 AM California time, hijacked roughly 1,300 IP addresses, Oracle-owned Internet Intelligence said on Twitter. The malicious redirection was caused by fraudulent routes that were announced by Columbus, Ohio-based eNet, a large Internet service provider that is referred to as autonomous system 10297. Once in place, the eNet announcement caused Hurricane Electric and possibly Hurricane Electric customers and other eNet peers to send traffic over the same unauthorized routes. The 1,300 addresses belonged to Route 53, Amazon's domain name system service

In a statement, Amazon officials wrote: "Neither AWS nor Amazon Route 53 were hacked or compromised. An upstream Internet Service Provider (ISP) was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered. These peered networks, unaware of this issue, accepted these announcements and incorrectly directed a small percentage of traffic for a single customer’s domain to the malicious copy of that domain."

eNet officials didn't immediately respond to a request to comment.

The highly suspicious event is the latest to involve Border Gateway Protocol, the technical specification that network operators use to exchange large chunks of Internet traffic. Despite its crucial function in directing wholesale amounts of data, BGP still largely relies on the Internet-equivalent of word of mouth from participants who are presumed to be trustworthy. Organizations such as Amazon whose traffic is hijacked currently have no effective technical means to prevent such attacks.

In 2013, malicious hackers repeatedly hijacked massive chucks of Internet traffic in what was likely a test run. On two occasions last year, traffic to and from major US companies was suspiciously and intentionally routed through Russian service providers. Traffic for Visa, MasterCard, and Symantec—among others—was rerouted in the first incident in April, while Google, Facebook, Apple, and Microsoft traffic was affected in a separate BGP event about eight months later.

Tuesday's event may also have ties to Russia, because MyEtherWallet traffic was redirected to a server in that country, security researcher Kevin Beaumont said in a blog post. The redirection came by rerouting traffic intended for Amazon's domain-name system resolvers to a server hosted in Chicago by Equinix that performed a man-in-the-middle attack. MyEtherWallet officials said the hijacking was used to send end users to a phishing site. Participants in this cryptocurrency forum appear to discuss the scam site.

In a statement, Equinix officials wrote: "The server used in this incident was not an Equinix server but rather customer equipment deployed at one of our Chicago IBX data centers. Equinix is in the primary business of providing space, power and a secure interconnected environment for our more than 9,800 customers inside 200 data centers around the world. We generally do not have visibility or control over what our customers – or customers of our customers – do with their equipment."

The attackers managed to steal about $150,000 of currency from MyEtherWallet users, most likely because the phishing site used a fake HTTPS certificate that would have required end users to click through a browser warning. Still, Beaumont reported, the attacker wallet already contained about $17 million in digital coins, an indication the people responsible for the attack had significant resources prior to carrying out Tuesday's hack.

self-signed HTTPS certificate for myetherwallet.com

The small return, when compared to the resources and difficulty of carrying out the attack, is leading to speculation that MyEtherWallet wasn't the only target.

"Mounting an attack of this scale requires access to BGP routers are major ISPs and real computing resource [sic] to deal with so much DNS traffic," Beaumont wrote. "It seems unlikely MyEtherWallet.com was the only target, when they had such levels of access."

Another theory is that Tuesday's hijacking was yet another test run. Whatever the cause, it's a significant development because anyone who can hijack Amazon cloud traffic has the ability to carry out all kinds of nefarious actions.

Post updated to add comment from Equinix and Amazon.

Listing image: Amazon

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at @dangoodin on Mastodon. Contact him on Signal at DanArs.82.
125 Comments