[judge2020]

Given they were stupid enough to spin up some VMs, I doubt it was someone that knew what they had access to. A skilled attacker would stay dormant sucking up all data accessible via the AWS API (including s3 stuff) and potentially keep access to the infrastructure for years.

[throwaway8581]

This kind of analysis is basically worthless because you don’t know whether they are operating at multiple levels of deception by, e.g., making you think they are a stupid script kiddie and that you successfully wiped them out.

[LilBytes]

If they had root access to an AWS account, this is exactly what you would expect.

If there's a cyber security firm that's been hired to provide analysis they're going to be combing through egress traffic to find anything suspicious. But, egress traffic is difficult and expensive to analyse.

Worse yet, the attackers could easily just sit there and not use their attack methods for a little while and start up their compromises in weeks or months. You couldn't be certain nothing's still there till you ripped the AWS resources out and replaced them.

[smashed]

There is no evidence that this did not also happen.

[brippalcharrid]

And if it is happening, we might hear about that in a few years' time, if it's discovered, and if it's brought to light in circumstances that are conducive to the vendor making a public disclosure (eg. which are impossible to cover up).