The event, which only lasted about two hours on Tuesday, April 24, saw traffic to Amazon’s cloud web hosting servers redirected to malicious websites. Not all of the traffic, just a small slice of it, about 1,300 IP addresses, according to Oracle. The attack saw traffic to MyEtherWallet redirected a malicious version of itself, where the attackers could siphon cryptocurrency off of users who thought they were logging into their cryptocurrency wallets.
One such site, MyEtherWallet, was cloned by attackers but likely didn’t result in the kind of massive theft we’re used to seeing when cryptocurrency wallets or exchanges are attacked. According to Ars Technica, the cryptocurrency wallet into which the fake MyEtherWallet site was dumping its cryptocurrency already had about $27 million worth of cryptocurrency in it.
Details like this have led some to believe the attack could have been state-sponsored, potentially with ties to Russia.
“So far the only known website to have traffic redirected was to MyEtherWallet.com, a cryptocurrency website. This traffic was redirected to a server hosted in Russia, which served the website using a fake certificate — they also stole the cryptocoins of customers,” wrote security researcher Kevin Beaumont. “The attacks only gained a relatively small amount of currency from MyEtherWallet.com — however their wallets in total already contained over [20 million pounds] of currency. Whoever the attackers were are not poor.”
It may not have been the first time these hackers have staged such an attack either, according to Ars. There were a couple suspiciously similar attacks in 2013 when hackers hijacked internet traffic to a number of U.S. companies, routing the traffic through Russian ISPs. Affected companies included Visa, MasterCard, Apple, and Symantec. Eight months later, another set of U.S. companies saw their traffic hijacked with the same kind of exploit.
These 2013 attacks used the same “border gateway protocol” exploit as today’s attack. Beaumont elaborated that today’s attack requires access to sophisticated equipment, which leads him to believe MyEtherWallet was not likely the only target — just the one we happened to notice.
“Mounting an attack of this scale requires access to BGP routers are major ISPs and real computing resource to deal with so much DNS traffic. It seems unlikely MyEtherWallet.com was the only target, when they had such levels of access,” Beaumont wrote. “Additionally, the attackers failed to obtain an SSL certificate while man-in-the-middle attacking the traffic — a very easy process — which alerted people to the issue at scale.”