Foiled Plot to Attack Amazon Reflects Changing Nature of Data Center Threats

A foiled plot to attack a data center in Virginia underscores the changing landscape for data center security. The traditional threat profile of thieves or international terrorists has expanded to include a new breed of potential attackers motivated by anti-government beliefs or even Internet conspiracies about lizard people.

Although the nature of threats may be evolving, modern data centers remain some of the best protected facilities in the world, driven by the industry’s relentless focus on physical security. Cloud data center campuses are designed with multiple layers of defenses, and monitored around the clock by on-site security teams and video cameras.

This apparently didn’t deter Seth Aaron Pendley, a 28-year-old Texas resident, who was charged with plotting to blow up an Amazon Web Services facility in Ashburn, Virginia. Pendley was arrested after allegedly attempting to obtain an explosive device from an undercover FBI employee in Fort Worth, saying he planned to attack a data center and “kill off about 70 percent of the Internet.” If convicted, Pendley faces up to 20 years in federal prison.

Pendley, who was present at the Jan. 6 attack on the U.S. Capital, intended to attack a data center and damage servers used by federal agencies and “piss off all the oligarchy,” according to a criminal complaint. Pendley had researched locations using a topographical map and created hand-drawn diagrams of plans to attack a specific campus, according to the complaint. Pendley had been under surveillance for several months due to a tip from a participant in an online forum who was alarmed by Pendley’s statements.

“We are indebted to the concerned citizen who came forward to report the defendant’s alarming online rhetoric,” said Prerak Shah, Acting U.S. Attorney for the Northern District of Texas. “In flagging his posts to the FBI, this individual may have saved the lives of a number of tech workers. We are also incredibly proud of our FBI partners, who ensured that the defendant was apprehended with an inert explosive device before he could inflict real harm.”

Heightened Security Posture

Amazon data centers have been on heightened alert since January, when AWS became the focus of online threats after suspending cloud hosting services for Parler, a conservative social network. In a January memo, AWS VP of infrastructure operations Chris Vonderhaar told staff that Amazon is continuing “to closely monitor civil unrest in the United States” and said its cloud division had made a number of changes to ensure the safety of teams and facilities, including data centers.

“We all need to be vigilant during this time to keep one another and our facilities safe,” the email said. “If you see something, say something – no situation or concern is too small or insignificant.”

Pendley’s arrest highlights the threat posed to data center staff, who have been played an essential role maintaining online services during the COVID-19 pandemic. Whether the plot could have actually damaged servers or disrupted Internet operations is another matter.

Cloud data center campuses are designed for “defense in depth” with multiple layers of physical and electronic security as well as on-site security staff. Campuses are typically protected by an extended perimeter  of fences, gates, and physical buffers.

“There are lots of risks to our data networks, but physically blowing up a data center isn’t high on the list,” security analyst Bruce Schneier noted in 2009. “Any e-commerce, banking, etc. site worth anything is backed up and dual-homed.”

Designing for Resiliency and Outages

Data centers are designed to eliminate single points of failure so services won’t be interrupted by issues affecting a single piece of equipment or even a single data center. In recent years, cloud computing has pioneered architectures that create resiliency using software and network connectivity.

That’s especially true at Amazon Web Services, which has spent billions to create a distributed network of data centers and “availability zones,” along with software tools that allow customers to replicate data so applications automatically failover to a backup site. This involves additional configuration and cost, but is readily available to security-conscious customers like those Pendley believed he was targeting.

Nonetheless, Pendley told informants that a targeted attack could “kill off 70 percent of the Internet.” This appears to be related to an inaccurate but oft-repeated claim that 70 percent of all Internet traffic runs through Northern Virginia. Although the region is home to the largest concentration of cloud data centers, that number is significantly overstated, as explained in an analysis by TeleGeography.

The Evolving Nature of Threats

In the years following the 9-11 terrorist attacks in New York, the data center industry took extensive measures to harden its defenses against attacks. In 2007, Scotland Yard said it had arrested a group of suspected Al-Qaeda members that plotted to disrupt Internet traffic in the United Kingdom by attacking the Telehouse Europe facility in London’s Docklands area.

Historically, the biggest security incidents at data centers have involved theft. Several of these robberies made headlines.

• In a daring 2007 robbery echoing an “Ocean’s 11” plot, thieves impersonating policemen stole more than $4 million in equipment from a Verizon Business data center in London. A team of three to five robbers tied up security guards and stole server equipment valued at $4 million.
• That same years, armed thieves broke into a CI Host data center in Chicago and stole server equipment. The intruders cut through an exterior wall, and assaulted an employee responding to the incident.

But the motivation of potential attackers isn’t always easy to understand or anticipate, as seen in the Christmas Day bombing in Downtown Nashville, which badly damaged a regional telecom hub, disrupting telecom services across much of the Southeast. The blast knocked out the primary power connections for an AT&T central office.

AT&T was able to restore most network services within 72 hours, demonstrating the resilience of communications infrastructure, especially given the extensive physical damage to a key network hub.

As an older telecom building in an urban center, the AT&T site was less protected than modern data center campuses operated by cloud platforms and service providers.

The Problematic Role of Conspiracies

Early speculation focused on whether the AT&T facility was the intended target of the Nashville bomber, Anthony Warner. Media reported that Warner’s late father worked at BellSouth, suggesting the possibility that Warner may have been familiar with the building or had a specific interest in the company. But the search for a motive grew muddled when it emerged that Warner embraced bizarre conspiracy theories that shape-shifting lizard people control the earth and alter humans’ DNA.

The FBI eventually found that Warner lacked a “specific personal grievance” and meant to commit suicide, “driven in part by a totality of life stressors – including paranoia, long-held individualized beliefs adopted from several eccentric conspiracy theories.”

What’s clear is that threats to digital infrastructure don’t have to be reality-based, as seen in recent warnings from law enforcement about extremists targeting 5G wireless towers and other data infrastructure, hoping “to incite fear, disrupt essential services, and cause economic damage with the United States and abroad.” The concerns are driven by groundless and unscientific conspiracy theories tying 5G to health risks and the spread of COVID-19, and have led to harassment of telecom workers in the UK and Australia.

Last week’s foiled attack has the risks to the data center industry squarely on the radar of law enforcement.

“The FBI’s highest priority is ensuring public safety and we thoroughly investigate all credible threats,” said Dallas Special Agent in Charge Matthew J. DeSarno. “We continually ask the public to report suspicious or threatening behavior to law enforcement, and in this instance, that vigilance may have prevented injuries and the destruction of property.”