'Armada' Extortionist Hackers Bulldozing 'Secure' Email Services

[humble3d]

'Armada' Extortionist Hackers Bulldozing 'Secure' Email Services

The last four days have seen at least four private email providers taken offline by distributed denial of service (DDoS) attacks, where servers are overwhelmed with maliciously-generated traffic. All are being targeted by a strange crew called the Armada Collective.

As I reported on Thursday, ProtonMail, the encrypted email start-up set up by CERN researchers in Geneva, paid a ransom to the hackers who’d threatened to continue flooding its data center. After the payment of 15 Bitcoin (around $6,000) was made, the company was continually hit over the weekend, though it believes another group was responsible for the subsequent attacks.

Though it was the only one to pay, it wasn’t the only one to suffer as a result of extortionist hackers’ actions these last few days. Hushmail, another popular email provider promising better-than-average security, said it was on the receiving end of a DDoS. It was still apologizing for delays to email delivery today.

“The attackers have demanded a ransom, which we will not pay, and have promised an increase in the intensity of the attacks,” the Vancouver, Canada company explained, in a website post. “As such we expect that there will be continued attacks, which may result in further interruptions in service. We are continuing to improve our protection against these attacks, and have filed a criminal complaint with the relevant authorities.”

Runbox, which promises “secure email for professionals and businesses”, said it was dealing with a DDoS from 6 November. It managed to keep its service stable within a day, however. Finally, VFEMail said it was coping with attacks from 4 November. According to the company’s Facebook page, the owner was close to shutting the whole service down as a result of the hit.

Meanwhile, enterprise software provider Zoho said it was facing a DDoS as well, taking out its email offering, though it didn’t specify whether it was sent a ransom request. It did, however, point to the two attacks on ProtonMail and Runbox, adding: “We cannot give in to criminals and embolden them to perpetuate other attacks.”

It’s unclear why private email services are being attacked, though it seems one group is responsible. “It appears, although we cannot be certain, that this attack is coming from the same group that attacked ProtonMail. There are similarities, including demanding a ransom. It does appear there is a focus on attacking secure email services, it’s not clear to us why,” said Ben Cutler, CEO of Hush Communications, the owner of Hushmail, via email.

Strange goings on with the Armada Collective

ProtonMail, Hushmail and Runbox all confirmed they had been targeted by a group of hackers calling themselves the Armada Collective. Looking at the Bitcoin addresses specified by the attackers in their emails to ProtonMail and Runbox, the attacks are indeed linked.

The attackers, bafflingly, have started sending small amounts of money back to ProtonMail. One of the addresses cited in the ransom email to Runbox was seen sending Bitcoin to ProtonMail’s account. Even more bizarre, the account that received the original payment from ProtonMail has also been sending back chunks of Bitcoin and attaching messages on some transactions in the Blockchain, the public ledger of all Bitcoin movements, to distance itself from a second, bigger attack on ProtonMail.

“Somebody with great power, who wants ProtonMail dead, jumped in after our initial attack!” read one note. Another read: “We have no such power to crash data center and no reason to attack ProtonMail any more!”

And yet the Armada Collective, in its emails, claimed it could generate huge volumes of data to wipe out targets. It’s possible different DDoS attackers are using the Armada name to both inspire fear in their targets and cover their tracks.

Ransom email from Armada Collective

A typical ransom email from the Armada Collective DDoS extortionists – from the Swiss Governmental Cyber Emergency Response Team.

But that doesn’t make the collective any less of a threat. In a ransom email sent to Runbox, the crew boasted its attacks were “extremely powerful – sometimes over 1Tbps per second. So, no cheap protection will help.” A terabyte a second is a vast amount of traffic to generate, capable of knocking over any company that doesn’t have adequate resources to cope. It would also be a record for the biggest DDoS ever.

“Right now we will start 15 minutes attack on one of your IPs [internet protocol addresses]… It will not be hard, we will not crash it at the moment to try to minimize eventual damage, which we want to avoid at this moment. It’s just to prove that this is not a hoax. Check your logs,” the Armada Collective said in its email.

“If you don’t pay by Friday, attack will start, price to stop will increase to 30 BTC [bitcoin] and will go up 15 BTC for every day of attack. In addition, we will go publicly on social networks and recommend your users to switch to more secure providers like Tutanota and ProtonMail.” The email was similar to one the Swiss Governmental Computer Emergency Response Team warned about earlier this year.

But there is no evidence the crew has ever reached 1Tbps, according to security and networking firm Akamai. “The Armada Collective claims it has the power to unleash a DDoS attack of more than 1Tbps per second. To date, however, the biggest Armada Collective attack mitigated by Akamai has only peaked at 772Mbps,” the company noted in a blog post.

Whilst Akamai doesn’t think the Armada Collective is especially terrifying, it said the crew was a “credible source of attacks going forward. Organizations should take the threat seriously.”

By generating so much publicity, the crew may have shot itself in the foot, however. Andy Yen, who heads up ProtonMail, said over Skype instant messenger that he believed the hackers were now “feeling the heat”. “They know they are being hunted.”

http://www.forbes.com/sites/bernardmarr/2015/11/10/big-data-a-game-changer-in-the-retail-sector/