Hackers as Cloud Customers

How SolarWinds Hackers used AWS and Azure

Teri Radichel
Cloud Security
Published in
5 min readFeb 25, 2021

--

Part of my blog series on the and Data Breaches.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Part of my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: AWS Security | SolarWinds Breach | Data Breaches | Multicloud Security | Azure Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

An article by David Jones at Cybersecurity Dive wrote an article about Amazon declining to appear at a Senate hearing on Solar Winds. Lawmakers may want to understand Amazon’s involvement in the SolarWinds Hack. I already explained the steps the attackers took in SolarWinds Hack Retrospective Part 2: What caused the breach and what does the malware do? This post adds some diagrams to show how hackers leveraged AWS, Azure, and SolarWinds. For all the articles in this series on the SolarWinds Hack, see the list of links at the bottom of this article.

The attacker was a customer of the cloud providers

Just like any other customer, the attackers signed up for an account on AWS and Azure. The attackers used AWS to set up C2 infrastructure on Amazon. They used Azure and set up DNS infrastructure to resolve the domain names used by the malware. No AWS customers would want Amazon spying on…

--

--

Teri Radichel
Cloud Security

CEO 2nd Sight Lab | Penetration Testing & Assessments | AWS Hero | Masters of Infosec & Software Engineering | GSE 240 etc | IANS | SANS Difference Makers Award