Tesla has joined the list of victims of cryptojacking, a new but widespread type of attack in which attackers secretly use other people’s computing resources to mine cryptocurrencies. Researchers at RedLock, a company specializing in cloud security monitoring, discovered that hidden mining malware had been installed on Tesla’s infrastructure powered by Amazon Web Services.
How it happened
While analyzing open and misconfigured cloud servers, RedLock experts stumbled upon an insecure console for Kubernetes, a popular tool for managing cloud applications. The console turned out to be accessible without a password. Inside one of its subsystems, the researchers found login credentials for Tesla’s AWS cloud environment.
These credentials allowed the attackers to gain deeper access and deploy a hidden mining infrastructure based on the Stratum protocol, a popular cryptocurrency mining solution. The fraudsters carefully disguised their actions to make them harder to detect.
What did the hackers use?
To remain undetectable, the attackers:
- used their own mining server (instead of connecting to known pools that are easier to trace),
- communicated over SSL encrypted connections,
- used non-standard IP ports to hide activity from scanners,
- used proxy servers and free security certificates from Cloudflare to disguise the source of the attack.
What was at risk?
Among the compromised resources is S3 storage, which contained Tesla’s internal data. In particular, we are talking about the telemetry of test cars, mapping information and other engineering data. While the company assures that the risks to customers and vehicle safety are minimal, even such information could be extremely valuable to competitors, given Tesla’s work on autopilot and other advanced developments.
Tesla’s response and implications
As soon as RedLock notified the company of the vulnerability, Tesla acted swiftly – the server was cleaned up and shut down within a day. Company representatives confirmed the incident, stating that it only affected internal resources used for testing and did not affect customers.
RedLock received more than $3,000 for its discovery as part of the bug bounty program, and all funds were donated to charity.
Why it matters?
This case highlights how sophisticated cryptojacking attacks are becoming. Their main goal is to exploit the computing power of large companies with minimal risk of being detected. Cloud platforms like AWS are attractive because they have an inherently high level of load, so additional resource consumption can go unnoticed for a long time.
RedLock experts note that the public cloud has become a “sweet spot” for attacks, especially because of the high risk of user error and insufficient security configuration.
Cryptojacking is the new reality
Since the introduction of cryptojacking in 2017, this type of attack has evolved a lot. Hackers have learned how to hide, bypass defenses, and capitalize on even minor vulnerabilities. And while the Tesla incident is one of the most notable, even more alarming is the trend of attacks on critical infrastructure.
This is a wake-up call for companies to strengthen cloud security, properly configure access, limit the use of administrative interfaces, and conduct regular security audits. The cyber threat of mining in someone else’s cloud is no longer a rarity, but part of digital reality.