Hackers made off with about $152,000 worth of Ether on Tuesday in an attack that exploited weaknesses in the internet’s infrastructure to steal users’ cryptowallet keys.
The hackers did so by exploiting a weakness in DNS servers serving MyEtherWallet, a cryptocurrency exchange. DNS is a service that connects domain names like myetherwallet.com to whatever IP address it’s hosted on.
“This is not due to a lack of security on the [MyEtherWallet] platform. It is due to hackers finding vulnerabilities in public facing DNS servers,” the company wrote in a Reddit post.
Hackers hijacked the DNS servers around noon UTC, the company said, and redirected user traffic to a replica of myetherwallet.com hosted on a Russian server. The actual exploit was through the Border Gateway Protocol (BGP), explains security researcher Kevin Beaumont. BGP is the system that actually directs traffic to a website.
MyEtherWallet noted in the Reddit post that, because users were rerouted to a phishing website, they likely clicked through a pop-up message warning them that the site they were visiting did not have a proper SSL certificate.
It’s not clear yet the root cause of the attack, but the hackers appear to have rerouted IP addresses operated by Amazon Web Services’ DNS service, known as Route 53.
DNS provider Cloudflare explained in a blog post about the incident that a BGP leak happens when a range of IP addresses is “announced” by an outside party, which could be a configuration mistake or done with malicious intent.
In Tuesday’s incident, a range of IP addresses belonging to AWS appears to have been rerouted via internet service provider eNet. It’s not clear how the fraudulent routes came to be announced by eNet.
“Neither AWS nor Amazon Route 53 were hacked or compromised,” an AWS spokesperson said in a statement. “An upstream Internet Service Provider (ISP) was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered. These peered networks, unaware of this issue, accepted these announcements and incorrectly directed a small percentage of traffic for a single customer’s domain to the malicious copy of that domain.”
The attackers reportedly redirected traffic for about two hours. In that time, they managed to steal 215 Ether, amounting to about $152,000 at the time. The hackers had millions of dollars worth of Ether in their cryptowallets before the attack started, according to Beaumont, suggesting that they were well-resourced for an operation of this scale.
Beaumont notes that having that access, along with the ability to manage the scale of DNS traffic, requires great computing power. That suggests that the Ether trading site may not have been the only target.
“It seems unlikely MyEtherWallet.com was the only target, when they had such levels of access,” Beaumont writes.
This post has been updated with a statement from Amazon Web Services.