Once the Kubernetes console was compromised, the intruders were able to obtain credentials for accessing Tesla's Amazon S3 account, and the private data that was stored with the service. However, it doesn't appear that Tesla's data was the target of the hackers. Instead, they wanted to use the company's Amazon S3 resources for cryptocurrency mining.
According to RedLock, which first discovered the intrusion, the hackers installed mining pool software and used a script that connected to an unlisted destination. This made it rather difficult for malicious activity to be detected while sniffing a standard IP/domain. In addition, the hackers took additional preventative measures by hiding the IP address of the mining pool server behind the CloudFare CDN service. But they of course didn't stop there.
"The mining software was configured to listen on a non-standard port which makes it hard to detect the malicious activity based on port traffic," writes RedLock. "Lastly, the team also observed on Tesla’s Kubernetes dashboard that CPU usage was not very high. The hackers had most likely configured the mining software to keep the usage low to evade detection."
Even though that hackers did their best to cover their tracks to avoid detection, RedLock's Cloud Security Intelligence (CSI) team was still able to discover the scheme and contacted Tesla. According to RedLock, Tesla was very receptive to the CSI team's findings, and the "issue was quickly rectified."
For its part, Tesla has issued the following statement to calm the fears of customers who might think that their personal data could have been compromised:
We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it. The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way.
Chances are that Tesla probably password protected its Kubernetes console following this latest incident...