Route 53, Amazon's cloud DNS service, had some traffic hijacked by a server in the U.S. which redirected that traffic to Russia, where hackers stole cryptocurrency.
Amazon Route 53 effectively connects user requests to infrastructure running in AWS.
In this case, it involved re-directing users of myetherwallet.com to an impostor phishing site in Russia, where users had credentials and cryptocurrency stolen.
MyEtherWallet offered this explanation:
"It is our understanding that a couple of Domain Name System registration servers were hijacked at 12 p.m. UTC to redirect myetherwallet[dot]com users to a phishing site.
This redirecting of DNS servers is a decade-old hacking technique that aims to undermine the Internet’s routing system. It can happen to any organization, including large banks. This is not due to a lack of security on the @myetherwallet platform. It is due to hackers finding vulnerabilities in public facing DNS servers.
A majority of the affected users were using Google DNS servers. We recommend all our users to switch to Cloudflare DNS servers in the meantime.
Affected users are likely those who have clicked the "ignore" button on an SSL warning that pops up when they visited a malicious version of the MEW website.
We are currently in the process of verifying which servers were targeted to help resolve this issue as soon possible."
Cloudflare did an excellent blog post on the hijacking:
"During the hijack, it returned IPs associated with a Russian provider (AS48693 and AS41995). You did not need to accept the hijacked route to be victim of the attack, just use a DNS resolver that had been poisoned.
If you were using HTTPS, the fake website would display a TLS certificate signed by an unknown authority (the domain listed in the certificate was correct but it was self-signed). The only way for this attack to work would be to continue and accept the wrong certificate. From that point on, everything you send would be encrypted but the attacker had the keys.
If you were already logged-in, your browser will send the login information in the cookie. Otherwise, your username and password would be sent if you typed them in on a login page.
Once the attacker got the login information, it used them on the legitimate website to transfer and steal Ethereum."
Cloudflare also included some charts on what happened and a list of things the ISP and others did that made this type of attack much easier to pull off than it should have been.