[What happened in this incident?]
Hackers somehow made some BGP routers of “eNet” to falsely announce that they own the following 5 IP subnets, which are indeed NOT belonging to “eNet”. The true owner is Amazon. To be more specific, they are for Amazon’s Route 53 DNS name resolution services.
- 205.251.192.0/24
- 205.251.193.0/24
- 205.251.195.0/24
- 205.251.197.0/24
- 205.251.199.0/24
The registered domain server for domain “MyEtherWallet.com” is hosted on Amazon Route 53.
Hackers also somehow embedded malicious DNS server (or servers, I really don’t know) also inside service network of “eNet”.
After that, any affected clients’ DNS query for domain “MyEtherWallet.com” would hit hacker’s malicious DNS server. Of course, malicious DNS server would respond with false IP addresses, and those false IP addresses are indeed hacker’s own web servers.
At this moment, clients thought they were accessing “MyEtherWallet.com”, and they indeed were accessing hacker’s web servers.
