AWS: SolarWinds hackers used our elastic compute cloud

By on
AWS: SolarWinds hackers used our elastic compute cloud

Amazon Web Services admitted Thursday that hackers used its systems in the SolarWinds campaign but reiterated the cloud computing giant wasn’t itself infected with malware.

“The actors used EC2 [Amazon Elastic Compute Cloud] just like they would use any server they could buy or use anywhere (on-premises or in the cloud),” an AWS spokesperson told CRN Thursday. “And, in fact, the actors did use several different service providers in this manner.”

AWS has been feeling the heat since Tuesday, when multiple U.S. senators alleged the SolarWinds hackers took advantage of AWS’ cloud hosting to disguise their activities as benign network traffic. Specifically, Sen. Richard Burr, R-N.C., said the adversaries leveraged AWS cloud hosting to run programs that communicated with and controlled the poisoned code they had installed on victim’s systems.

Amazon Elastic Compute Cloud (EC2) is a web service that provides secure, resizable compute capacity in the cloud, eliminating the need for users or organizations to invest in hardware up front. Businesses can use EC2 to launch as many or as few virtual servers as they need, configure security and networking, and manage storage. Amazon launched EC2 in beta in 2006, and made it generally available in 2008.

Back in the early days of cloud computing, many predicted the cloud would be used for nefarious activities, according to the chief technology officer of a cloud solutions provider and AWS partner. For instance, the CTO said media reports from the 2010 timeframe highlighted how quickly and cheaply hackers can do brute-force passwords using the cloud.

“I assume this is happening much more often than is highlighted in the news or disclosed by the public cloud providers,” the CTO told CRN. “I’m more concerned [about] if the cloud providers have sophisticated tools to detect utilization behavior patterns over their resources that represent these nefarious activities.”

The CTO suspects AWS has applied its machine learning technology to monitor the health of AWS account with suspicious patterns of behavior. For instance, AWS might analyze and escalate if an AWS account created less than a month ago already has usage at the upper limits of default Service Quotas for a particular resource, according to the CTO.

AWS has a responsibility to ensure its platform is being used in accordance with their terms of business and the law, but this is typically dealt with contractually by shutting down customers who are in violation such as Parler, said Karl Robinson, director of London-based AWS managed services provider Logicata.

“It is virtually impossible for AWS to police all activity on their cloud platform at the scale they operate,” Robinson told CRN. “By giving customers access to such a broad array of services with virtually limitless configuration options, AWS enables their customers to innovate at pace, but this flexibility makes it difficult to keep tabs on what every customer is doing.”

On Wednesday, an AWS spokesperson told CRN the company doesn’t use SolarWinds’ software and hadn’t been infected with malware, mirroring what AWS global channel chief Doug Yeum had told CRN in January. AWS said Wednesday it had shared what it learned with law enforcement and had also provided detailed briefings to government officials, including Members of Congress.

Sen. Mark Warner, D-Va., said Tuesday that Amazon provided the Senate Intelligence Committee with one update, but added the committee is still expecting a “full update.” The Senate Intelligence Committee first held a closed hearing on the SolarWinds campaign Jan. 6 with the government agencies responding to the attack, according to Warner.

Several U.S. senators slammed AWS Tuesday for refusing to testify at a hearing about the SolarWinds intrusion, with multiple Republicans alluding to the possibility of subpoenaing Amazon representatives if they won’t appear on their own volition.

“We had extended an invitation to Amazon to participate. The operation we’ll be discussing today uses their infrastructure, [and], at least in part, required it to be successful,” Sen. Marco Rubio, R-Fla., said Tuesday. “Apparently they were too busy to discuss that here with us today, and I hope they’ll reconsider that in the future.”

Like lawmakers, solution providers have also been critical of AWS’ lack of communication around the use of its technology in the SolarWinds attack. The CEO of a cloud solutions provider and AWS partner said the cloud computing giant needs to at least communicate about issues like these with the channel so that partners keep an eye out for their clients.

“I do wonder whether AWS has made a judgment error in not coming out to publicly defend their position in this high-profile case with such far reaching consequences,” Logicata’s Robinson told CRN Wednesday. “That, to me, could be more damaging to AWS’ reputation in the long run than the issue of them hosting some of the infrastructure used in the attack.”

This article originally appeared at

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © 2018 The Channel Company, LLC. All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?