ProtonMail: encrypted email provider held ransom by hackers

ProtonMail: encrypted email provider held ransom by hackers
UK Guardian Sam Thielman in New York

ProtonMail, a Switzerland-based encrypted email provider, was forced offline on Thursday after hackers held the company’s internet connection for ransom by using a distributed denial of service (DDoS) attack.

“ProtonMail is likely under attack by two separate groups, with the second attackers exhibiting capabilities more commonly possessed by state sponsored actors,” the company said. “It also shows that the second attackers were not afraid of causing massive collateral damage in order to get at us.”

-

 

They say the infrastructure necessary to resist the kind of sophisticated attack that took down their entire ISP just to get at Protonmail costs about $100K/year. They're asking for donations: https://www.gofundme.com/protonmaildefense

I hope they're able to survive this.

 

Under DDOS again from this morning (Swiss time).

 

I just saw that someone id DDOSing VFEmail today. Their regular url is down. Check instead: https://nl101.vfemail.net/

Is this the beginning of a deliberate campaign against private email services?

 

DDoS ransoming is the latest thing, I've heard

 

Don't know if it's related -- or just my system, but haven't been able to log into Tutanota either.

 

I''m not having trouble with Tutanota. But I just saw that Neomailbox and Runbox are both being DDOSed. So it does really seem like a coordinated attack on private email services.

 

After just seeing your note, I tried again and was able to get in -- so must have just been on my end.

 

I started a new thread since what' s happening in the last couple days is clearly larger than just Protonmail.

https://www.wilderssecurity.com/threads/multiple-private-email-services-under-ddos-attack.381307/

 

RunBox, Hushmail, and NeoMailBox (swiss service as Protonmail) were too under DDOS attacks these days.

 

ProtonMail sets a dangerous precedent and opens itself up to further attacks by paying ransom

http://betanews.com/2015/11/06/prot...tself-up-to-further-attacks-by-paying-ransom/

 

The news source you cite, like many, is radically misrepresenting what happened. When the attack on Protonmail escalated, it took down the entire network of its ISP, affecting hundreds of companies, including banks. Protonmail did not want to pay the ransom, but these other companies put a huge amount of pressure on them to do so. That's where the quote of "grudgingly" comes from, they "grudgingly" went along with the pressure from all the other companies.

Here's Protonmail's full explanation of the course of events that led to the ransom payment:

 

Thank you for explaining things up, @cb474

 

It's very suspicious that the attackers didn't honor the ransom payment, because if it were a criminal organisation, it is in its interests - ironically - to be honest about that.

Instead, it increases the likelihood of state-level actors being the culprits.

I imagine also, that ProtonMail (and the other similar providers) will be seeking a different ISP, voluntarily or involuntarily - independent of the issue of DDos protection.

I also wonder whether this illustrates the problem with the architectural model here, which is still central server - clients (and this has other downsides such as attack on their certificates, and the subversion of their javascript code).

 

@deBoetie

Protonmail believes they were subject to attack from two different parties. The first, easily handled, small scale attack came from those who demanded the ransom. This group, the Armada Collective, has plagued a number of sites lately. The second much more sophisticated attack, Protonmail says reflects the level of capability normally associated with a state sponsored actor. They think this was a second attack by a party unrelated to the Armada Collective. In fact, after they paid the ransom and the attack did not stop, the Armada Collective contacted Protonmail to tell them they were not responsible for this (which has some credibility, since if they were responsible it would be more natural to ask for more money).

Protonmail explains all of this in the link to their Wordpress blog I provide above.

Protonmail has moved to install hardware which can mitigate the second more sophisticated attack, but it is very expensive, hence they started a fund raiser to support this. Details about this can be found in their Twitter feed.

I've read some people speculating that the second attack may have taken the opportunity of the first attack to act, perhaps to obfuscate who is responsible. I know that Protonmail has a lot of users in China including dissident groups (and also Iran, I think). It would not be surprising that China would want to disrupt access of dissident groups to a secure private method of communication and obviously they have both the capability and willingness to do something like this. I don't know what Iran's capacities are. I also am not sure if Iran is as interested in cracking down on stuff like this.

 

Thanks, whichever you believe, the notion that there is a state-sponsored attacker is pretty compelling.

And the sad thing is that peoples' suspicions will not be limited to "official" rogue/repressive states, and that protestations from TLAs simply cannot be believed. That's the legacy they've created.

 

Just wondering as I pass through this thread. Are any of the email providers being "attacked" running hidden servers? Was just wondering if TOR's hidden network configuration would insulate this at all? I haven't given it any thought but my stuff hasn't been down. Its private, and being who I am it'll stay that way. LOL!

 

That article kind of gets the chronology wrong and mixes up what different tweets from Protonmail were referring to. Protonmail came back online on Nov 8, after installing new hardware to handle the second more sophisticated attack, but the next day they were attacked again using a different method and went down again for a couple hours. After mitigating that third attack they seem to have remained up so far, but they say the remain under continuing attack.

Protonmail has provided a detailed account of what's going on and what happened here:

https://protonmail.com/blog/protonmail-ddos-attacks/

They also sound confident now that there were two attackers, the first, who demanded the ransom and who have plagued other sites recently, and the second much more sophisticated party, who they think had probaby been planning the attack for a while and took the opportunity of the first attack to try to hide their tracks. Experts are working with Protonmail to see if they can identify the second attacker.

If you read the whole Protonmail post on this, it's nice to see how many other companies and experts really rallied behind them.

 

FastMail the latest victim of a sustained DDoS offensive

http://www.welivesecurity.com/2015/11/12/fastmail-latest-victim-sustained-ddos-offensive/

 

I'm betting China is responsible. They have the capabilities to do such an attack and they have the motives.

Iran doesn't have the capability to run such a large sustained DDoS attack.

 

Yeah, I don't really know, but if I had to bet, I'd put my money on China. They have the capability to do this, they have a history of this sort of action, and my impression is that Protonmail is popular with Chinese dissidents. If they could bring down the service, it would be a step in hindering their communication.

I don't know about Iran's capabilities, but I'm will to believe others on this. And western agencies don't tend to go for such blatant attacks (especially within the context of the west itself). They try to do more sureptitious things, figure out if they can compromise the service and then spy on people (rather than just bring the service down).

On the other hand, in the face of more and more sophisticated encrypted communications services, perhaps western agencies will have no other choice. If they can't compromise the communications, then some other sort of mischief might become more appealing.

 

A major part of the draft Investigatory Powers Bill in the UK is trying to legitimatize precisely this (what they are already doing). Except, it's not blatant attack, it's equipment interference. Only China would attack.

 

What's equipment interference, as counter distinguished from an "attack"? I don't think I understand the distinction you're making.

 

Sorry, my pathetic attempt at humor in the face of a bad situation - there is no difference except "interference" is supposed to make it more palatable. You are supposed to trust that they are always after the bad guys, despite disgraceful evidence to the contrary.