The recent crackdown by China on bitcoin mining has opened up new, often bizarre opportunities for entrepreneurs to become richer mining cryptocurrencies. And, not surprisingly, it has also led to several prominent instances of widespread hacking efforts to hijack computing power in order to power cryptocurrency mining efforts, also known as “cryptojacking”.
Two weeks ago, there was the curious case of Russian scientists, working at a top-secret Russian nuclear facility, getting arrested for mining crypto-currencies: the suspects had tried to use one of Russia’s most powerful supercomputers to mine Bitcoin. They were quickly caught.
“There has been an unsanctioned attempt to use computer facilities for private purposes including so-called mining,” the Federal Nuclear Center in Sarov, western Russia, said.
Now, none other than Tesla has fallen the latest victim of such a cryptojacking effort.
In a blog post published today, cloud security firm Redlock reported it had found the attack and reported it quickly to Tesla. This is how Redlock described the hack:
“The hackers had infiltrated Tesla’s Kubernetes console which was not password protected. Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry.”
While it was not clear what telemetry data was exposed exactly, it appears that the hackers were not after the confidential Tesla information. Instead, according to Electrek, they installed a program for crypto mining from within one of Tesla’s Kubernetes pods.
Previously, Redlock had discovered other similar attacks against other large companies like Aviva and Gemalto, but the firm notes that the attack against Tesla was more sophisticated and involved several evasion techniques:
- Unlike other crypto mining incidents, the hackers did not use a well known public “mining pool” in this attack. Instead, they installed mining pool software and configured the malicious script to connect to an “unlisted” or semi-public endpoint. This makes it difficult for standard IP/domain based threat intelligence feeds to detect the malicious activity.
- The hackers also hid the true IP address of the mining pool server behind CloudFlare, a free content delivery network (CDN) service. The hackers can use a new IP address on-demand by registering for free CDN services. This makes IP address based detection of crypto mining activity even more challenging.
- Moreover, the mining software was configured to listen on a non-standard port which makes it hard to detect the malicious activity based on port traffic.
- Lastly, the team also observed on Tesla’s Kubernetes dashboard that CPU usage was not very high. The hackers had most likely configured the mining software to keep the usage low to evade detection.
In the past, Tesla has been receptive to whitehat hackers, who have helped Tesla on several occasions by attacking its products in order to find vulnerabilities, but they always disclosed the hack to the company before making it public and never use the breach nefariously. Of course, Tesla has also been hacked by blackhats in the past: in 2015, a hacker took control of Tesla’s website and Twitter account, as well as Elon Musk’s Twitter account.
Meanwhile, the cyberintrusion is now over, and Tesla has reportedly fixed the issue. This is what Tesla told Electrek:
“We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it. The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way.”
It is unclear how many, if any, bitcoin were mined using the collective Tesla cloud during the hack.