Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

ProtonMail Suspects State-Sponsored DDoS Attack

ProtonMail, the end-to-end encrypted e-mail service used by activists, journalists, whistleblowers, and others looking for enhanced privacy, continues to be offline following a powerful and continuous distributed denial of service (DDoS) attack targeting its data center.

ProtonMail, the end-to-end encrypted e-mail service used by activists, journalists, whistleblowers, and others looking for enhanced privacy, continues to be offline following a powerful and continuous distributed denial of service (DDoS) attack targeting its data center.

Initially thought to be launched by an extortionist group, the DDoS attacks increased in sophistication and continued even after the company paid a requested ransom. The service was taken offline on Nov. 3 and was briefly restored the next day, but the sustained attacks prevented users from accessing its website on Thursday as well.

Last night, the company announced via Twitter that it managed to restore the service as the attacks discontinued, but a tweet posted this morning revealed that another attack had been launched and that its servers are down again. They remain down at the time of publishing.

The company suspects that the attacks were state-sponsored, mainly due to their magnitude and sophistication, and because they were launched with disregard to causing massive collateral damage to take the email service offline. In a blog post, ProtonMail explains that they observed two attack stages, and that the second one was of greater importance, causing the massive outage.

Initially, the company was targeted by an extortionist group that launched a 15 minute attack while demanding a Bitcoin ransom that would prevent further attacks. The group of cybercriminals, which call themselves Armada Collective, has been launching similar attacks targeting companies across Switzerland in the past few weeks.

ProtonMail said that following the initial attack, a second wave was launched roughly 12 hours later, and that it started growing in sophistication over time. Although the first attack targeted only the service’s IP addresses, the second one exceeded 100Gbps and attacked not only the ISP’s datacenter, but also routers in Zurich, Frankfurt, and other nodes, thus impacting hundreds of other companies as well.

Advertisement. Scroll to continue reading.

The company then decided to pay the ransom to the extortionist group, but the attacks continued, resulting in disrupted traffic across the ISP’s entire network, which stopped announcing ProtonMail’s IP range, thus effectively taking the service offline. However, the criminals who extorted the company in the first place announced that they were not behind the second wave of attacks.

“This second phase has not been observed in any other recent attacks on Swiss companies and was technically much more sophisticated. This means that ProtonMail is likely under attack by two separate groups, with the second attackers exhibiting capabilities more commonly possessed by state-sponsored actors. It also shows that the second attackers were not afraid of causing massive collateral damage in order to get at us,” the company said.

In order to prevent falling victim to similar DDoS attacks, ProtonMail plans on implementing a comprehensive long term solution that would render its infrastructure safe from highly sophisticated intrusions. However, it says that such solutions are expensive, which sparked it to launch a donation campaign aimed at helping it cover the costs of employing a service provider capable of fending off this type of attacks.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...