Cyber Threat Actor: RedLock CSI Team
| Actor Type | Location | Known Incidents |
Criminal
|
United States of America
|
1 incident |
|---|
Profile
RedLock CSI Team is a threatactor known by that alias and has been publicly linked to operations originating from the United States of America. The actor came to attention through a specific intrusion reported in early 2018, which remains the primary source of publicly available information about its activities. No additional aliases or geographic details have been disclosed in open sources.
In the reported incident, the actor gained initial access by exploiting a Kubernetes console that lacked password protection, thereby obtaining credentials for the victim’s Amazon Web Services environment. Once inside, the actor deployed cryptocurrency mining malware and operated custom mining servers to generate revenue from the compromised resources. To conceal the activity, the actor employed SSL encryption for traffic and routed communications through proxy services provided by Cloudflare, demonstrating an emphasis on evasion techniques. The intrusion did not involve ransomware, data exfiltration, or destructive payloads, focusing instead on resource hijacking for monetary gain.
The most notable operation attributed to RedLock CSI Team targeted Tesla’s cloud infrastructure in January 2018, where the actor accessed internal engineering data related to test vehicles while avoiding any apparent impact on customer privacy or vehicle safety. Security researchers identified the compromise through internet scans, prompting Tesla to remediate the exposure within hours and subsequently acknowledge the finding via its bug bounty program. The episode highlighted how misconfigured cloud services can be leveraged for illicit cryptocurrency mining, underscoring a recurring risk in public‑container orchestration platforms. No further campaigns or affiliations have been publicly attributed to this actor based on currently available evidence.
