Cyber Incident Victim: Aviva
Date:
Oct 2017
Location:
United Kingdom
Summary
Hackers compromised infrastructure hosted on Amazon Web Services belonging to Aviva and Gemalto, exploiting their cloud resources to mine Bitcoin cryptocurrency. The attackers repurposed servers into parasitic bots for unauthorized crypto-mining operations, prioritizing computational resource abuse over data theft. Security researchers highlighted the incident's deviation from typical motives like stealing sensitive information, emphasizing the financial gain objective through victim infrastructure exploitation. The affected companies and Amazon were notified, though no public statements were issued initially. This breach exemplified a growing trend of attackers targeting organizational resources for cryptocurrency generation rather than traditional data exfiltration.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around October 25, 2017, security researchers at RedLock identified a breach impacting two companies utilizing Amazon Web Services (AWS): Aviva and Gemalto. Attackers compromised the AWS infrastructure of both organizations, deploying unauthorized cryptocurrency mining operations focused on Bitcoin generation. The intrusion exploited computational resources within the cloud environment, repurposing servers into bots dedicated to solving the complex mathematical problems required for cryptocurrency creation. RedLock’s analysis confirmed the attackers’ primary objective was resource hijacking for financial gain through cryptocurrency mining, with no evidence of data exfiltration targeting sensitive information such as social security numbers, credit card details, passwords, or emails. This deviation from conventional data theft motives highlighted a shift toward monetizing compromised infrastructure directly. The compromised AWS instances operated continuously as parasitic nodes within the attackers’ mining network, consuming significant computational power and bandwidth at the victims’ expense. Amazon, Aviva, and Gemalto were notified of the breach by RedLock following its discovery.
The incident underscored the growing trend of attackers prioritizing resource exploitation over traditional data theft, leveraging victims’ infrastructure to avoid the costs associated with acquiring or maintaining specialized mining hardware. Impacts on Aviva and Gemalto included unauthorized consumption of cloud resources, potentially affecting operational performance and incurring financial costs tied to AWS usage. No public statements or detailed remediation actions were disclosed by Amazon, Aviva, or Gemalto at the time of RedLock’s report. The absence of confirmed containment measures or forensic findings beyond RedLock’s initial assessment left the full scope of the intrusion—including initial attack vectors, duration of compromise, and total resource misuse—unverified by the affected organizations. Consequences centered on operational disruption and loss of computational capacity, with broader implications for cloud security practices as attackers increasingly targeted cloud environments for cryptocurrency mining.