U.S. Senators: AWS Infrastructure Used In SolarWinds Attack
‘The operation we’ll be discussing today uses [Amazon’s] infrastructure, [and], at least in part, required it to be successful. Apparently they were too busy to discuss that here with us today,’ says Sen. Marco Rubio, R-Fla.
Senators slammed Amazon Web Services for refusing to testify at a hearing about the SolarWinds intrusion given the public cloud giant’s infrastructure was used in the attack.
“We had extended an invitation to Amazon to participate. The operation we’ll be discussing today uses their infrastructure, [and], at least in part, required it to be successful,” Sen. Marco Rubio, R-Fla., said during a Senate Intelligence Committee hearing Tuesday. “Apparently they were too busy to discuss that here with us today, and I hope they’ll reconsider that in the future.”
Specifically, Amazon Web Services hosted most of the secondary command and control nodes in the SolarWinds attack, said Sen. Richard Burr, R-N.C. And all of AWS’s infrastructure was inside the United States, Burr said. This is one of the first times AWS’s role in the SolarWinds attack has been publicly discussed, with much of the scrutiny to date focused on top AWS cloud computing rival Microsoft.
[Related: U.S. Plans Russian Sanctions For SolarWinds Breach: Report]
“There may be other brand-name players that may have been penetrated that have not been as forthcoming and are leaving policymakers and potentially customers in the dark,” Sen. Mark Warner, D-Va., said during the hearing. AWS didn’t respond to multiple requests for comment from CRN.
The repeated references to AWS during the hearing came as a surprise since the U.S. Cybersecurity and Infrastructure Security Agency said Jan. 29 it isn’t aware of cloud software other than Microsoft’s targeted in the SolarWinds attack, Acting Director Brandon Wales told The Wall Street Journal. The SolarWinds hackers launched their attacks from inside the United States, officials said last week.
“When a large enterprise like Amazon is invited, they ought to be participating,” Warner said during the hearing. “There are other brand-name, known IT and software and cloud services [vendors] that may have been vulnerable to this kind of incident as well. And their public and active participation we‘re going to get, we’re going to make sure that takes place.”
Warner said Amazon has provided the Senate Intelligence Committee with one update, but said the committee is still expecting a “full update.” It would be most helpful if Amazon “actually attended these hearings” in the future, Warner said. The Senate Intelligence Committee initially held a closed hearing on the SolarWinds campaign Jan. 6 with the government agencies responding to the attack, he said.
“I share the concern that has been expressed at Amazon Web Services declining to participate,” Sen. John Cornyn, R-Texas, said during the hearing. “I think that‘s a big mistake; it denies us a more complete picture than we might otherwise have, and I hope they will reconsider and cooperate with the committee going forward.”
Multiple Republican senators alluded to the possibility of subpoenaing Amazon representatives if they won’t appear before the Senate Intelligence Committee on their own volition. Sen. Ben Sasse, R-Neb., said the Intelligence Committee should “pursue whatever is necessary” to get Amazon to appear, adding that the company will “hopefully” show up voluntarily in the future.
“I think they have an obligation to cooperate with this inquiry, and I hope they will voluntarily do so,” Sen. Susan Collins, R-Me., said during the hearing. “If they don’t, I think we should look at next steps.”
Bob Venero, CEO of Holbrook, N.Y.-based solution provider Future Tech Enterprise, No. 96 on the 2020 CRN Solution Provider 500, called AWS’ refusal to directly address how its infrastructure was used in the SolarWinds attack a “slap in the face” to the company’s partners and customers.
“With all of the security challenges we face as an industry now is the time -more than ever - for AWS to show up and speak about how they can prevent this from ever happening again on their watch,” said Venero.
The fact that the the cybercriminals relied in part on AWS infrastructure to launch the attack is more evidence that a hybrid cloud architecture is the most secure for customers, said Venero.
“This just goes to prove yet again that a 100 percent public cloud strategy is not the right answer for customers,” he said. “The threat vector is much smaller with hybrid cloud. We tell our customers that they need a multithreaded hybrid cloud environment to protect themselves from security threats.”
Venero said he sees AWS’ refusal to show up at the hearing as a sign that the company thinks it is too big to have to answer questions on the SolarWinds breach. “They owe it to their customers and partners to be there and answer the questions,” he said.
With contributions from CRN Executive Editor, News Steven Burke.