AWS: SolarWinds Hackers Used Our Elastic Compute Cloud

‘The actors used EC2 just like they would use any server they could buy or use anywhere (on-premises or in the cloud). And, in fact, the actors did use several different service providers in this manner,’ AWS tells CRN.

ARTICLE TITLE HERE

Amazon Web Services admitted Thursday that hackers used its systems in the SolarWinds campaign but reiterated the cloud computing giant wasn’t itself infected with malware.

“The actors used EC2 [Amazon Elastic Compute Cloud] just like they would use any server they could buy or use anywhere (on-premises or in the cloud),” an AWS spokesperson told CRN Thursday. “And, in fact, the actors did use several different service providers in this manner.”

AWS has been feeling the heat since Tuesday, when multiple U.S. senators alleged the SolarWinds hackers took advantage of AWS’ cloud hosting to disguise their activities as benign network traffic. Specifically, Sen. Richard Burr, R-N.C., said the adversaries leveraged AWS cloud hosting to run programs that communicated with and controlled the poisoned code they had installed on victim’s systems.

id
unit-1659132512259
type
Sponsored post

[Related: Partners: AWS Must Come Clean On Role In SolarWinds Hack]

Amazon Elastic Compute Cloud (EC2) is a web service that provides secure, resizable compute capacity in the cloud, eliminating the need for users or organizations to invest in hardware up front. Businesses can use EC2 to launch as many or as few virtual servers as they need, configure security and networking, and manage storage. Amazon launched EC2 in beta in 2006, and made it generally available in 2008.

Back in the early days of cloud computing, many predicted the cloud would be used for nefarious activities, according to the chief technology officer of a cloud solutions provider and AWS partner. For instance, the CTO said media reports from the 2010 timeframe highlighted how quickly and cheaply hackers can do brute-force passwords using the cloud.

“I assume this is happening much more often than is highlighted in the news or disclosed by the public cloud providers,” the CTO told CRN. “I’m more concerned [about] if the cloud providers have sophisticated tools to detect utilization behavior patterns over their resources that represent these nefarious activities.”

The CTO suspects AWS has applied its machine learning technology to monitor the health of AWS accounts with suspicious patterns of behavior. For instance, AWS might analyze and escalate if an AWS account created less than a month ago already has usage at the upper limits of default Service Quotas for a particular resource, according to the CTO.

AWS has a responsibility to ensure its platform is being used in accordance with their terms of business and the law, but this is typically dealt with contractually by shutting down customers who are in violation, such as Parler, said Karl Robinson, director of London-based AWS managed services provider Logicata. But cloud service providers also need to put a certain degree of trust in their customers in that regard, he said.

“It’s easy for them to take action as a result of a complaint or an intervention from the authorities, but it’s almost impossible for them to proactively detect and prevent every type of nefarious activity,” Robinson told CRN on Thursday. “I agree with AWS that they cannot police all workloads in every EC2 instance -- this would be virtually impossible and also an infringement on customer privacy. When adhering to best practice, most customers will be encrypting data at rest and in transit, meaning no one -- including AWS themselves -- can see data on the storage partitions or being transmitted and received by the instances. This is essential for customers dealing with sensitive data and strict compliance standards.”

On Wednesday, an AWS spokesperson told CRN the company doesn’t use SolarWinds’ software and hadn’t been infected with malware, mirroring what AWS global channel chief Doug Yeum had told CRN in January. AWS said Wednesday it had shared what it learned with law enforcement and had also provided detailed briefings to government officials, including Members of Congress.

Sen. Mark Warner, D-Va., said Tuesday that Amazon provided the Senate Intelligence Committee with one update, but added the committee is still expecting a “full update.” The Senate Intelligence Committee first held a closed hearing on the SolarWinds campaign Jan. 6 with the government agencies responding to the attack, according to Warner.

Several U.S. senators slammed AWS Tuesday for refusing to testify at a hearing about the SolarWinds intrusion, with multiple Republicans alluding to the possibility of subpoenaing Amazon representatives if they won’t appear on their own volition.

“We had extended an invitation to Amazon to participate. The operation we’ll be discussing today uses their infrastructure, [and], at least in part, required it to be successful,” Sen. Marco Rubio, R-Fla., said Tuesday. “Apparently they were too busy to discuss that here with us today, and I hope they’ll reconsider that in the future.”

Like lawmakers, solution providers have also been critical of AWS’ lack of communication around the use of its technology in the SolarWinds attack. The CEO of a cloud solutions provider and AWS partner said the cloud computing giant needs to at least communicate about issues like these with the channel so that partners keep an eye out for their clients.

“I do wonder whether AWS has made a judgment error in not coming out to publicly defend their position in this high-profile case with such far reaching consequences,” Logicata’s Robinson told CRN Wednesday. “That, to me, could be more damaging to AWS’ reputation in the long run than the issue of them hosting some of the infrastructure used in the attack.”