Connect with us

Hi, what are you looking for?


Cloud Security

AWS Using MadPot Decoy System to Disrupt APTs, Botnets

AWS says an internal threat intel decoy system called MadPot has successfully trapped nation state-backed APTs like Volt Typhoon and Sandworm.

AWS MadPot honeypot

Cloud computing giant AWS says an internal threat intel decoy system called MadPot has been used successfully to trap malicious activity, including nation state-backed APTs like Volt Typhoon and Sandworm.

MadPot, the brainchild of AWS software engineer Nima Sharifi Mehr, is described as “a sophisticated system of monitoring sensors and automated response capabilities” that entraps malicious actors, watches their movements, and generates protection data for multiple AWS security products.

AWS said the honeypot system is designed to look like a huge number of plausible innocent targets to pinpoint and stop DDoS botnets and proactively block high-end threat actors like Sandworm from compromising AWS customers.

In a note describing MadPot, AWS said the sensors keep watch on more than 100 million potential threat interactions and probes every day around the world, with approximately 500,000 of those observed activities advancing to the point where they can be classified as malicious. 

“That enormous amount of threat intelligence data is ingested, correlated, and analyzed to deliver actionable insights about potentially harmful activity happening across the internet. The response capabilities automatically protect the AWS network from identified threats, and generate outbound communications to other companies whose infrastructure is being used for malicious activities,” the company said.

In the case of Sandworm, AWS said the honeypot caught the actor attempting to exploit a security vulnerability affecting WatchGuard network security appliances. “With close investigation of the payload, we identified not only IP addresses but also other unique attributes associated with the Sandworm threat that were involved in an attempted compromise of an AWS customer,” it added.

“MadPot’s unique ability to mimic a variety of services and engage in high levels of interaction helped us capture additional details about Sandworm campaigns, such as services that the actor was targeting and post-exploitation commands initiated by that actor. Using this intelligence, we notified the customer, who promptly acted to mitigate the vulnerability,” AWS said. 

In another high-profile case, AWS said the MadPot system was used to help government and law enforcement authorities to identify and disrupt Volt Typhoon, a Chinese state-backed hacking group caught siphoning data from critical infrastructure organizations in Guam, a U.S. territory in the Pacific Ocean.

Advertisement. Scroll to continue reading.

“Through our investigation inside MadPot, we identified a payload submitted by the threat actor that contained a unique signature, which allowed identification and attribution of activities by Volt Typhoon that would otherwise appear to be unrelated,” AWS explained.

The company said MadPot’s data and findings is used to beef up the quality of its security tooling that include AWS WAF, AWS Shield, AWS Network Firewall, and Amazon Route 53 Resolver DNS Firewall, and detective and reactive services like Amazon GuardDuty, AWS Security Hub, and Amazon Inspector.

Related: Chinese APT Caught Hiding in Cisco Router Firmware

Related: Chinese .Gov Hackers Targeting US Critical Infrastructure

Related: Russian APT Caught Infecgting Ukrainian Military Android Devices

Related: New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.