Russian hackers intercept Amazon DNS, steal $160K in cryptocurrency

The two-hour event is the third recorded BGP hijack of Russian origin in the last 12 months.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • Russian hackers used BGP to commandeer IP addresses belonging to the Amazon Route 53 DNS service.
  • BGP was designed decades ago, largely before considerations of malicious network activity were considered in design.

Between 11:05 to 13:03 UTC on Tuesday, April 24th, a BGP attack intercepted traffic for Amazon Route 53, the DNS service component of Amazon Web Services (AWS). According to Oracle's Internet Intelligence group (formerly Dyn Research), the attack originated from hardware located in a facility operated by eNet (AS10297) of Columbus, OH, which announced that it can accept traffic for certain IP addresses, some of which belonged to Route 53.

From there, the attackers redirected requests for the Ethereum cryptocurrency wallet to a server in Russia. Users with DNS resolvers that incorrectly accepted the route announcement from eNet would be presented with a security warning when attempting to access that website.

If a user clicked through, they would be presented with a phishing website clone, which the attackers used to harvest wallet information—if a user was already logged in, the attackers could read the cookie to harvest an account without the user entering their account credentials. It appears that the hackers gained 215 Ether from the attack, which equates to approximately $160,000 USD.

Because of the nature of BGP, not everyone who visited the website was affected. Of the eNet peers, seemingly only Hurricane Electric accepted the announcement. CloudFlare noted in a blog post that their newly-launched free DNS resolver service partially accepted the route in "Chicago, Sydney, Melbourne, Perth, Brisbane, Cebu, Bangkok, Auckland, Muscat, Djibouti and Manilla." As CloudFlare noted, it is not necessary for end users to accept the routes—all of these changes are transparent to the user, effectively.

SEE: Incident response policy (Tech Pro Research)

BGP was designed decades ago, in large part before considerations of malicious network activity were considered in design. Because of this, a well-placed attacker with sufficient network access can announce invalid routes that may, however briefly, be accepted by DNS resolvers before a discrepancy is noted, as was the case here.

The ability to do this invisibly—only announcing a route for a few hours and retracting—is another mode of attack speculated in a 2013 editorial by Larry Seltzer for ZDNet. Because of the somewhat transient nature of BGP routing, there is no central authority for BGP routes.

Troublingly, this appears to be the third BGP hijacking attack of Russian origin in the last 12 months. On December 12, 2017, two incidents, which lasted three minutes each, affected a total of 80 prefixes normally announced by Google, Apple, Facebook, Microsoft, Twitch, NTT Communications, and Riot Games, according to BGPmon. The routes were announced by AS39523, which appears to be designed to a "Vasilyev Ivan Ivanovich," a name that seems suspiciously like a pseudonym. Last April, Rostelcom (AS12389) improperly announced routing that hijacked traffic to major financial institutions, though BGPmon notes that this was performed in a "very visible and large scale manner," making it too conspicuous to not be accidental.

BGP has also been abused by governments in certain circumstances. In January 2017, the Iranian government attempted to enforce a ban on pornography by announcing invalid routes for hundreds of addresses, making the websites in question unavailable for little over a day in various parts of the world. In 2013, the uncreatively-named Italian firm "Hacking Team" worked with the Italian government to regain access to a command and control server for a surveillance tool the company sells.

Even when working as designed, BGP is problematic. An incident in 2014 caused mass outages when the BGP routing table exceeded 512,000 entries. Many routers in use at the time lacked sufficient space in the specialized memory-Tertiary Content Addressable Memory (TCAM)-for the IPv4 BGP routing table to exceed that amount. According to the view from APNIC, there are presently 716,667 IPv4 BGP routes in use.

Update: An AWS spokesperson provided this statement to TechRepublic:

Neither AWS nor Amazon Route 53 were hacked or compromised. An upstream Internet Service Provider (ISP) was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered. These peered networks, unaware of this issue, accepted these announcements and incorrectly directed a small percentage of traffic for a single customer's domain to the malicious copy of that domain.

Also see

Image: iStockphoto/Pixtum

About James Sanders

James Sanders is a Tokyo-based programmer and technology journalist. Since 2013, he has been a regular contributor to TechRepublic and Tech Pro Research.

Editor's Picks

Free Newsletters, In your Inbox