The rerouting of user traffic to Myetherwallet which led to $150,000 of cryptocurrency being taken from customer wallets may not have been the most significant hack in crypto terms but it certainly is notable for its meticulous execution.
The hackers for a period took over the connection to the Domain Name System (DNS) servers of Amazon Web Services which hosts the Myetherwallet website. They did this by hacking into the backbone of the internet - the Border Gateway Protocol (BGP) which is designed to exchange routing information across the internet. The hackers then redirected the traffic going to the Amazon DNS to their own servers, based in Russia, where they posed with a fake version of the Myetherwallet website.
In simple terms, internet traffic destined for the Ethereum website was tricked into going to a fake version of the site for two hours. People would have logged into the fake version allowing the hackers to obtain access to wallets and drain them of digital currency.
A two-pronged attack
Although it sounds like either Amazon Web Services (AWS) or Myetherwallet - or both - was hacked, technically neither of them were. An Amazon spokesperson said in a press statement, “neither AWS nor Amazon Route 53 were hacked or compromised. An upstream Internet Service Provider was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was paired.”
This attack will be of high interest to those involved in cybersecurity. While DNS re-routing has been a common attack used for years and BGP is a well-known fundamental weak spot in the internet infrastructure it is quite uncommon to see both tactics employed in the same attack and it underscores the fragility of internet security.
Patrick Blampied, an information security manager, agrees that neither Amazon nor Myetherwallet was at fault. “This was not as a result of a flaw or vulnerability within Ethereum or AWS,” he said. “Amazon’s DNS servers would have had no idea that the paths coming from the BGP routers were re-routed.”
Companies subscribe to AWS for DNS services. DNS records include an IP address that matches a website url. “Just like a phone contact has a phone number and a person's name. In the cell phone example it’s like hacking the cell tower and rerouting the phone call to another phone. Same phone number but routed elsewhere.”
Blampied said, in using the cell phone example to think of BGP routers like a cell tower: “These routers are the backbone of the internet and often sit within ISPs [internet service providers] or core network data centers. They all update each other in a domino effect automatically with records of where other routers are, so to manage sending traffic on a path via A to B.”
On top of the estimated $150,000 in ether that was stolen, The Verge reported that the hacker's wallet was also funded with about $17 million.
“This is a very interesting hack to me as it was very well planned and architected. It's more to do with the use of very old technology in the BGP protocol that has been used for years to run the internet. This was well-funded and supported as the resources needed to re-route traffic is not insignificant - it was very likely Russia-state sanctioned. North Korea is trying this approach."
Russia has been known to do this before and routed traffic from an ISP destined for Mexico via Belarus.
Myetherwallet is so far the only entity to report stolen funds but considering the control the hackers had of the ISP server for those hours and the scale of the operation it wouldn’t be surprising if more instances come to light.