Data Security, Cloud Security, Data Security

No, the AWS bomb plot likely wouldn’t have shut down large parts of the internet

Visitors arrive at the cloud pavilion of Amazon Web Services at the 2016 CeBIT digital technology trade fair in Hanover, Germany. Researchers found a flaw in Amazon Kindle devices that give an attacker root access, steal sensitive data and turn the device into a malicious bot for future attacks. (Photo by Sean Gallup/Getty Images)

A potential plot to bomb a datacenter run by the world’s largest cloud infrastructure provider would likely not have resulted in a massive shutdown for large portions of the internet, despite claims to the contrary made by the would-be attacker, experts say.

Last week, the Department of Justice announced that it had arrested and charged Seth Aaron Pendley, a 28-year-old man from Wichita Falls, Texas for plotting to blow up an AWS datacenter in Virginia. Prosecutors from the U.S. Attorney’s Office for the Northern District of Texas said Pendley was arrested right after soliciting an undercover FBI informant to buy C4 explosives to carry out the plan.

According to the complaint, law enforcement first took notice on Pendley on Jan. 8 after an anonymous tipster informed them of posts on an online militia forum by a user named Dionysus who claimed they had traveled from Wichita County, Texas to Washington D.C. two days earlier and was present Jan. 6 during the Capitol riot. Dionysus expressed disappointment that others were not prepared to bring firearms to engage in violence and wrote that they were planning another “experiment” that would put them in a “dangerous situation.” When asked by another poster what they were hoping to accomplish, Dionysus responded: “Death.”

A confidential informant passed along an email associated with the account, which the FBI used to issue a subpoena to obtain subscriber records for Dionysus’ email account and unmask Pendley’s identity.

Later in February, Pendley communicated with another informant over Signal, relaying his plans to attack Amazon Web Services data centers with explosives and sending a photo of a handwritten list of AWS data centers, including one in Virginia.

One of the reasons investigators suspected Pendley’s threats were serious is because in those same text exchanges, he wrote that he planned to paint his car from Silver to Black before the attack, then repaint it again afterwards to avoid being identified by law enforcement. Pendley did indeed paint his car black several days later, and made it clear his target was knocking out AWS servers and shutting down large portions of the internet, which he believed would strike a blow against corrupt government officials.

The complaint does not say which party first brought up explosives, but does say that informant and Pendley agreed to meet later to conduct a sale of C4 explosives that could be used in the attacks, and when they did on April 8, the FBI arrested him.

“The main objective is to f--- up the Amazon servers,” Pendley is alleged to have said at one of the meetings. “There’s 24 buildings that all this data runs through in America. Three of them are right next to each other and those 24 run 70 percent of the Internet.”

The plan was ‘not credible’

While the threat and potential for destruction may have been very real, security experts say Pendley’s plan would not have carried out his objective.

An attack on AWS assets could potentially have some second and third order effects because of how much the internet depends on functioning Amazon/AWS servers. The company owns close to half of the world’s public cloud infrastructure market, according to Gartner, and any brief outage or downtime at AWS usually results in wide swaths of the internet being unavailable. AWS cloud servers are also used by many businesses to store backup data in the event their business is hit by a cyberattack or other disaster.

However, they also take precautions precisely to avoid the potential for one datacenter to become a single point of failure.

“Compute loads are distributed between multiple locations so that if one goes down, it would cause a reduction in total compute power, but the services would continue to be delivered even if at a reduced capacity,” said Chris Morales, chief information security officer for Netenrich, a cybersecurity and resolution intelligence company, when asked about the potential impact of bombing a single datacenter location for a large cloud infrastructure provider.

Jim Reavis, CEO of the non-profit Cloud Security Alliance, told SC Media that Pendley’s assessment of the damage to internet infrastructure from a successful attack is off-base. Tier one cloud providers like AWS are known for investing heavily in system resilience precisely to avoid cascading effects from an outage in a single location. Those practices often include things like data center redundancy, multiple network backbones within each location and other protections that prevent a localized problem from spreading too far.

Just gaining access to a data center itself is extremely difficult, Reavis said, one of the reasons observers tend to focus more on the potential for disruptive attacks in the digital arena.

“Companies owning significant datacenter infrastructure invest heavily in physical security that you would associate with other highly valuable assets, such as bank vaults and military installations,” said Reavis. “These types of scenarios are part of the typical [disaster recover/business continuity] planning.”

While software bugs, power failures, network loss and misconfigurations have led to widespread outages of AWS hosted sites in the past, a physical attack like the one described by Pendley would likely result in loss of life at the impacted facility and downtime for the customers that used that data center exclusively and without real-time or offline redundancy or backups.

But it wouldn’t break the internet, or anything even close to it.

“The allegation that this person claimed to have a plan to ‘kill of about (sic) 70% of the internet’ is not credible without a significant number of co-conspirators operating with a highly sophisticated and coordinated plan,” Reavis said. “A physical attack could obviously result in localized devastation and loss of life but would not result in massive Internet outages. It is also important for casual readers to understand that large datacenters are highly automated and have very few workers on site.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.