Cryptojacking only really coalesced as a class of attack about six months ago, but already the approach has evolved and matured into a ubiquitous threat. Hacks that co-opt computing power for illicit cryptocurrency mining now target a diverse array of victims, from individual consumers to massive institutions—even industrial control systems. But the latest victim isn't some faceless internet denizen or a Starbucks in Buenos Aires. It's Tesla.

Researchers at the cloud monitoring and defense firm RedLock published findings on Tuesday that some of Tesla's Amazon Web Services cloud infrastructure was running mining malware in a far-reaching and well-hidden cryptojacking campaign. The researchers disclosed the infection to Tesla last month, and the company quickly moved to decontaminate and lock down its cloud platform within a day. The carmaker's initial investigation indicates that data exposure was minimal, but the incident underscores the ways in which cryptojacking can pose a broad security threat—in addition to racking up a huge electric bill.

The Hack

RedLock discovered the intrusion while scanning the public internet for misconfigured and unsecured cloud servers, a practice that more and more defenders depend on as exposures from database misconfigurations skyrocket.

"We got alerted that this is an open server and when we investigated it further that’s when we saw that it was actually running a Kubernetes, which was doing cryptomining," says Gaurav Kumar, chief technology officer of RedLock, referring to the popular open-source administrative console for cloud application management. "And then we found that, oh, it actually belongs to Tesla." You know, casual.

The attackers had apparently discovered that this particular Kubernetes console—an administrative portal for cloud application management—wasn't password protected and could therefore be accessed by anyone. From there they would have found, as the RedLock researchers did, that one of the console's "pods," or storage containers, included login credentials for a broader Tesla Amazon Web Services cloud environment. This allowed them to burrow deeper, deploying scripts to establish their cryptojacking operation, which was built on the popular Stratum bitcoin mining protocol.

Who’s Affected?

RedLock says it's difficult to gauge exactly how much mining the attackers accomplished before being discovered. But they note that enterprise networks, and particularly public cloud platforms, are increasingly popular targets for cryptojackers, because they offer a huge amount of processing power in an environment where attackers can mine under the radar since CPU and electricity use is already expected to be relatively high. By riding on a corporate account as large as Tesla's, the attackers could have mined indefinitely without a noticeable impact.

The Tesla infection shows not only the brazenness of cryptojackers, but also how their attacks have become more subtle and sophisticated.

From a consumer perspective, Tesla's compromised cloud platform also contained an S3 bucket that seemed to house sensitive proprietary data, like vehicle and mapping information and other instrument telemetry. The researchers say that they didn't investigate what information could have been exposed to the attackers, as part of their commitment to ethical hacking.

A Tesla spokesperson said in a statement that the risk was minimal: “We addressed this vulnerability within hours of learning about it. The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way.”

Still, data about test cars alone could be extremely valuable coming from a company like Tesla, which works on next-generation products like driverless automation.

The RedLock researchers submitted their findings through Tesla's bug bounty program. Elon Musk's company awarded them more than $3,000 for the discovery, which RedLock donated to charity.

How Serious Is This?

This incident itself is just one example in an ever-growing list of high-profile cryptojacking compromises. Just last week, researchers from the security firm Check Point said that attackers made more than $3 million by mining Monero on the servers of the popular web development application Jenkins. The Tesla infection is particularly noteworthy, though, because it shows not only the brazenness of cryptojackers, but also how their attacks have become more subtle and sophisticated.