Follow-on attacks show capabilities “commonly possessed by state-sponsored actors.”
A provider of end-to-end encrypted e-mail said it paid a ransom of almost $6,000 to stop highly advanced denial-of-service attacks that knocked its networks, and the networks of some of its upstream providers, offline.
In a blog post published Thursday, officials of Switzerland-based ProtonMail said they “grudgingly agreed” to pay 15 bitcoins, which at current valuations came to about $5,850, to the attackers in exchange for them halting the assault. Even after paying the sum, however, crippling attacks continued, although at the time the blog post was being written, they had subsided. The ransom payment is generating protest from critics who say it will only encourage more attacks. ProtonMail officials wrote:
We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless. Attacks against infrastructure continued throughout the evening and in order to keep other customers online, our ISP was forced to stop announcing our IP range, effectively taking us offline. The attack disrupted traffic across the ISP’s entire network and got so serious that the criminals who extorted us previously even found it necessary to write us to deny responsibility for the second attack.
The campaign began shortly after midnight on Tuesday, when ProtonMail received an extortion e-mail from a group of criminals said to be responsible for a string of DDoS attacks across Switzerland over the past few weeks. The message was soon followed by a distributed denial-of-service attack that lasted for about 15 minutes. The attack resumed at 11 a.m. the same day and was already showing “an unprecedented level of sophistication.” By 2 p.m., the flood of junk traffic reached volumes of 100 gigabits per second and began targeting ProtonMail’s datacenter and upstream providers, including routers in Zurich, Frankfurt, and other locations where the ISP has nodes.
“This coordinated assault on key infrastructure eventually managed to bring down both the datacenter and the ISP, which impacted hundreds of other companies, not just ProtonMail.”
The blog post went to to say:
Through MELANI (a division of the Swiss federal government), we exchanged information with other companies who have also been attacked and made a few discoveries. First, the attack against ProtonMail can be divided into two stages. The first stage is the volumetric attack which was targeting just our IP addresses. The second stage is the more complex attack which targeted weak points in the infrastructure of our ISPs. This second phase has not been observed in any other recent attacks on Swiss companies and was technically much more sophisticated. This means that ProtonMail is likely under attack by two separate groups, with the second attackers exhibiting capabilities more commonly possessed by state-sponsored actors. It also shows that the second attackers were not afraid of causing massive collateral damage in order to get at us.
At present, ProtonMail’s infrastructure is still vulnerable to attacks of this magnitude, but we have a comprehensive long term solution which is already being implemented. Protecting against a highly sophisticated attack like the second one which was launched against us requires sophisticated solutions as we also need to protect our datacenter and upstream providers. Cost estimates for these solutions are around $100,000 per year since there are few service providers able to fight off an attack of this size and sophistication. These solutions are expensive and take time to implement, but they will be necessary because it is clear that online privacy has powerful opponents. In order to cover these costs, we are collecting donations for a ProtonMail defense fund.
Attributing online attacks to a particular group, or even to a nation state, is a difficult endeavor that’s frequently prone to error. Still, the prospect that a nation state is behind the second wave of attacks could make an already problematic development—a service that paid a ransom to stop crippling DDoS attacks—much more complicated. It’s likely this story will have more developments before it’s done.