Cyber Incident Victim: Thales

On October 25, 2017, security firm RedLock identified unauthorized access to Amazon Web Services (AWS) cloud infrastructure belonging to insurance firm Aviva and digital security company Gemalto. Attackers compromised these environments to deploy cryptocurrency mining operations targeting Bitcoin. The intrusion involved configuring compromised cloud instances as automated bots performing computational work to solve cryptographic puzzles required for Bitcoin generation, diverting company resources without data exfiltration. RedLock’s analysis confirmed the attackers’ sole objective was resource hijacking for financial gain, contrasting with typical breaches focused on stealing sensitive information like credit card details or personally identifiable data. The incident highlighted attackers’ evolving preference for monetizing computational access over traditional data theft.

Amazon, Aviva, and Gemalto were notified of the breach, though none issued public statements regarding remediation steps or operational impacts at the time of RedLock’s disclosure. The attackers’ methodology exploited cloud instances to create parasitic mining bots, consuming substantial processing power and bandwidth at the victims’ expense. This incident exemplified a growing trend of cryptocurrency-focused attacks leveraging compromised enterprise infrastructure, avoiding data theft’s legal risks while profiting from victims’ operational resources. The breach underscored cloud security challenges, particularly misconfigured or under-monitored environments enabling unauthorized access. No evidence suggested broader AWS platform compromise beyond the two affected companies’ instances. Financial impacts were limited to resource misuse costs, with no reported disruption to Aviva’s or Gemalto’s customer services or secondary breaches stemming from the incident.