Tesla Internal Servers Infected with Cryptocurrency Miner

Hackers have breached Tesla cloud servers used by the company's engineers and have installed malware that mines the cryptocurrency.

The incident took place last year when hackers gained access to Tesla's Kubernetes server, an open-source application used by large companies to manage API and server infrastructure deployed on cloud hosting providers.

Hackers breached one of Tesla's Kubernetes consoles

Cloud security firm RedLock —whose experts discovered the hacked server— said hackers found a "pod" inside the Kubernetes console that stored login credentials for one of Tesla's AWS cloud infrastructure.

RedLock says the AWS buckets appeared to have been storing sensitive data such as telemetry, but a Tesla Motors spokesperson told Bleeping Computer in an email the data was from "internally-used engineering test cars only."

While there's no evidence intruders stole any data, they did install a mining application that utilized the vast computational resources of Tesla's AWS servers to mine the Monero cryptocurrency.

Engineers forgot to set a password for the Kubernetes console

A Tesla spokesperson told Bleeping Computer the company received a notification about the incident and secured the server immediately. RedLock said today the incident took place because Tesla engineers forgot to secure the Kubernetes console with an access password.

"We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it," Tesla said. "The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way.”

It is very clear that these hackers knew what they were doing, as they set up a private mining pool to use for their illegal mining operations only, hid the mining pool behind CloudFlare, configured the mining software to listen for commands on a non-standard port, and throttled the mining software to use only a small portion of Tesla's AWS CPU resources. All of these configuration changes were made to avoid detection.

Because they used a custom mining pool, it is unclear how much money this hacker group made.

However, these were not the only Kubernetes consoles RedLock found exposed online last year without a password. The company said it found similar servers belonging to Aviva, a British multinational insurance company, and Gemalto, the world’s largest SIM cards manufacturer.