The code hosting service Code Spaces was recently forced to shut down permanently after suffering a multi-stage attack on its servers.
On June 17, 2014, Code Spaces was hit by a DDoS attack — but as the company soon found, that was just the beginning.
The unidentified attacker had also gained access to Code Spaces’ Amazon EC2 control panel, and began leaving messages asking the company to contact a Hotmail address. When Code Spaces replied, the hacker demanded payment of a ransom to resolve the DDoS attack.
Code Spaces then determined that, although its control panel had been accessed, the hacker had been unable to get any further without the company’s private keys.
The company then changed its password for the control panel, but the hacker had already created several backup logins, “and upon seeing us make the attempted recovery of the account he proceeded to randomly delete artifacts from the panel,” the company stated on its website.
“We finally managed to get our panel access back but not before he had removed all EBS snapshots, S3 buckets, all AMIs, some EBS instances and several machine instances,” Code Spaces stated. “In summary, most of our data, backups, machine configurations and offsite backups were either partially or completely deleted.”
As a result, the company announced, “Code Spaces will not be able to operate beyond this point, the cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in a irreversible position both financially and in terms of ongoing credibility.”
Ars Technica notes that Code Spaces had previously promoted its resiliency against such attacks. “Backing up data is one thing, but it is meaningless without a recovery plan … and one that is well-practiced and proven to work time and time again,” a cached version of the Code Spaces site stated. “Code Spaces has a full recovery plan that has been proven to work and is, in fact, practiced.”
Patrick Thomas, security consultant at Neohapsis, said by email that this incident should serve as a wakeup call for any company counting on cloud services.
“Offsite backups have been considered a necessary operating procedure for any sensitive data, but in the age of cloud infrastructure many organizations think that they can simply pass the buck on backups, getting their geographic distribution and redundancy ‘for free’ as part of going to the cloud,” Thomas said.
But anything that’s vulnerable to the same threats, Thomas said, doesn’t really count as an offsite backup. “Perhaps it makes more sense to start talking in terms of ‘diversified backups,’ to emphasize the broad types of threats that a backup strategy must mitigate,” he said.
As a result, Warner said, it’s crucial to ensure that your team is able to handle multiple attack vectors at the same time. “You need someone (or a team) to deal with the DDoS attack, and someone else (or another team) worries about everything else,” she said.
From a broader perspective, RedSeal Networks CIO Steve Hultquist said by email that this type of attack proves hackers are getting more brazen. “Given the complexity of the systems and networks that support an enterprise, designing for security and then continuously monitoring the infrastructure to make sure that it accurately implements the security architecture is mission critical,” he said. “As we have seen from Code Spaces, an attack can destroy a company.”