“Every file server is lost, every backup server is lost.”
A catastrophic, smash-and-destroy cyber attack has eliminated the U.S. infrastructure for secure email service VFEmail. It’s a rare example of a purely destructive offensive, apparently unmotivated by financial gain or espionage goals.
An attacker wiped out the company’s U.S. servers on Monday evening, including backups, destroying almost two decades worth of user data in just a few hours. VFEmail owner Rick Romero noted that the attack took aim at VFEmail’s “entire infrastructure,” including mail hosts, VM
hosts, an SQL server cluster and the virtual machines themselves.
“At this time, the attacker has formatted all the disks on every server,” tweeted the company. “Every VM [virtual machine] is lost. Every file server is lost, every backup server is lost.”
Romero added that kind of access means that whoever did this had multiple passwords: “If they all had one password, sure, but they didn’t. That’s the scary part,” he tweeted. The company account added, “Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via SSH exploit, and there was no ransom. Just attack and destroy.”
In an update posted to the company’s website, Romero identified the hacker as “last seen aktv[at]22.214.171.124” – he caught the malefactor in the act, but wasn’t able to salvage much.
This is all I can do at this time. I will need to get into the datacenter to see if the one file server I caught during formatting can be recovered. If it can, we can restore mail, but most of the infrastructure is lost.
— VFEmail.net (@VFEmail) February 11, 2019
Romero said in the website update that incoming mail was now being delivered, but that getting anything historical back would be unlikely.
Bent on Destruction
While attacks that do nothing more than destroy infrastructure have been launched in the past (think Shamoon, Black Energy, Destover, ExPetr/Not Petya and Olympic Destroyer), the question remains as to why someone would want to take out a niche-focused Wisconsin-based email provider. Wiper attacks and other destructive efforts are generally used to send a political message.
“This kind of destructive attack, with no stated motive or demands, is quite rare,” Chris Morales, head of security analytics at Vectra, said via email. “An organization losing all of their data, and all of their customer data, is a nightmare scenario that could easily put a small company out of business and cause a huge financial impact on a large enterprise. Sony suffered this type of catastrophic destruction in 2014, which was attributed to North Korea.”
Romero intimated that this could indeed signal the end for his privacy-focused company, which he started in 2001: “Yes, @VFEmail is effectively gone. It will likely not return. I never thought anyone would care about my labor of love so much that they’d want to completely and thoroughly destroy it.”
Beyond the possibility of a personal vendetta being behind the incident, Justin Fier, director for Cyber Intelligence and Analysis at Darktrace, said that the incident could be attackers simply wanting to cover their tracks after successful data exfiltration.
“It’s easy to imagine the attacker may gotten what they wanted and figured the best way to clean up was to destroy all the evidence,” he said via email. “In the past, this tactic was frowned upon as it is inherently noisy, and many attackers want to be as stealthy as possible. However, we’ve clearly entered a new era of attacks.”
He added, “This attack has some of the telltale signs of nation-state activity and it’s interesting to consider why a nation state might want to do this. What information was on VFEmail’s servers that a nation-state might want to obtain, or, on the other hand, what might they not want found?”
Details are scant in terms of how the attack was carried out so effectively – the multiple password aspect could suggest an inside job. Meanwhile, some security researchers are questioning why there was not better backup in place.
“This raises questions of what disaster recovery strategy was in place and why data wasn’t backed up into cold storage, thus making it unavailable to attackers,” Fausto Oliveira, principal security architect at Acceptto, told Threatpost. “If they had a strategy in place, they should be able to recover at least a substantial part of their customers data. The fact that attackers were able to access and erase all the information demonstrates that the systems were not protected in an effective way.”
Morales meanwhile added that “the first thought that comes to mind is this is a service being sold as a secure email. The second is that if this is secure email then where are the offline backups and archives? Offline backups might not give a full restore to the exact date data was lost, but it would prevent the complete loss of all historical user data. Offline backup is the same strategy organizations are using to counter loss from ransomware.”