I don't think it was #3: Amazon owns and resolves it for amazonaws.com. If you could hack that, you could do much more serious damage. I'm assuming it's #1. Bucket names are global.
1. gov.uk’s DNS server used to point charts.dft.gov.uk to something legitimate
2. Someone hacked gov.uk’s DNS server, and changed this one specific domain to CNAME charts.dft.gov.uk.s3-website-eu-west-1.amazonaws.com
3. That same someone set up their porn thing at AWS in a bucket that maps to charts.dft.gov.uk.s3-website-eu-west-1.amazonaws.com
But why such a specific bucket name? Perhaps the perpetrator did it because he knows how the gov.uk DNS is maintained, but then it would be an inside job. If only the process were as tight and clean as in peppa pig land!
1. gov.uk’s DNS server used to point charts.dft.gov.uk to something legitimate 2. Someone hacked gov.uk’s DNS server, and changed this one specific domain to CNAME charts.dft.gov.uk.s3-website-eu-west-1.amazonaws.com 3. That same someone set up their porn thing at AWS in a bucket that maps to charts.dft.gov.uk.s3-website-eu-west-1.amazonaws.com