Attackers Completely Destroy VFEmail’s Secure Mail Infrastructure

vfemail wiper attack

“Every file server is lost, every backup server is lost.”

A catastrophic, smash-and-destroy cyberattack has eliminated the U.S. infrastructure for secure email service VFEmail. It’s a rare example of a purely destructive offensive, apparently unmotivated by financial gain or espionage goals.

An attacker wiped out the company’s U.S. servers on Monday evening, including backups, destroying almost two decades worth of user data in just a few hours. VFEmail owner Rick Romero noted that the attack took aim at VFEmail’s “entire infrastructure,” including mail hosts, VM [virtual machine] hosts, an SQL server cluster and the virtual machines themselves.

“At this time, the attacker has formatted all the disks on every server,” tweeted the company. “Every VM [virtual machine] is lost. Every file server is lost, every backup server is lost.”

Romero added that kind of access means that whoever did this had multiple passwords: “If they all had one password, sure, but they didn’t. That’s the scary part,” he tweeted. The company account added, “Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via SSH exploit, and there was no ransom. Just attack and destroy.”

In an update posted to the company’s website, Romero identified the hacker as “last seen aktv[at]94.155.49.9” – he caught the malefactor in the act, but wasn’t able to salvage much.

Romero said in the website update that incoming mail was now being delivered, but that getting anything historical back would be unlikely.

While attacks that do nothing more than destroy infrastructure have been launched in the past (think Shamoon, Black Energy, Destover, ExPetr/Not Petya and Olympic Destroyer), the question remains as to why someone would want to take out a niche-focused Wisconsin-based email provider. Wiper attacks and other destructive efforts are generally used to send a political message.

“This kind of destructive attack, with no stated motive or demands, is quite rare,” Chris Morales, head of security analytics at Vectra, said via email. “An organization losing all of their data, and all of their customer data, is a nightmare scenario that could easily put a small company out of business and cause a huge financial impact on a large enterprise. Sony suffered this type of catastrophic destruction in 2014, which was attributed to North Korea.”

Romero intimated that this could indeed signal the end for his privacy-focused company, which he started in 2001: “Yes, @VFEmail is effectively gone. It will likely not return. I never thought anyone would care about my labor of love so much that they’d want to completely and thoroughly destroy it.”

Beyond the possibility of a personal vendetta being behind the incident, Justin Fier, director for Cyber Intelligence and Analysis at Darktrace, said that the incident could be attackers simply wanting to cover their tracks after successful data exfiltration.

“It’s easy to imagine the attacker may gotten what they wanted and figured the best way to clean up was to destroy all the evidence,” he said via email. “In the past, this tactic was frowned upon as it is inherently noisy, and many attackers want to be as stealthy as possible. However, we’ve clearly entered a new era of attacks.”

He added, “This attack has some of the telltale signs of nation-state activity and it’s interesting to consider why a nation state might want to do this. What information was on VFEmail’s servers that a nation-state might want to obtain, or, on the other hand, what might they not want found?”

Details are scant in terms of how the attack was carried out so effectively – the multiple password aspect could suggest an inside job. Meanwhile, some security researchers are questioning why there was not better backup in place.

“This raises questions of what disaster recovery strategy was in place and why data wasn’t backed up into cold storage, thus making it unavailable to attackers,” Fausto Oliveira, principal security architect at Acceptto, told Threatpost. “If they had a strategy in place, they should be able to recover at least a substantial part of their customers data. The fact that attackers were able to access and erase all the information demonstrates that the systems were not protected in an effective way.”

Morales meanwhile added that “the first thought that comes to mind is this is a service being sold as a secure email. The second is that if this is secure email then where are the offline backups and archives? Offline backups might not give a full restore to the exact date data was lost, but it would prevent the complete loss of all historical user data. Offline backup is the same strategy organizations are using to counter loss from ransomware.”

 

 

Suggested articles

Discussion

  • Anonymous on

    Should have had Cylance on those servers.
  • Anonymous on

    Still holds true in this day of highly available, distributed applications. Always have a backup..
  • Daniel Cubillos on

    Perhaps it might sound silly but....where on earth where the offline encrypted backup? at least they could make a backup on the weekly basis, so in case of a "catastrophic disaster" most of the data could be saved and restored, but according with the report all the info is gone and everyone got vf virtual f*cked. it was an ridiculous mistake bearing in mind that storage now days is ridiculously cheap. you can get petabytes of storage for a few thousands. besides the price of gigabyte has significantly dropped in the last 10 years so there is no excuse for this loose. The most secured and unhackable servers is the one which is unplug and left in a safe under 24/7 monitoring.
  • 11548,&,+* on

    i think i know this ip address
  • CTC911CTC on

    At MIT in 1986 I worked with an engineer that furiously typed and smoked all day long. There was no project progress from him. I sat down with him and asked him what he did all day. He, exhalled and in a relieved tone told me; '... there are 48 machines on the ARPAnet, I now have accounts on 45, only 3 more to go...". Astonished I asked him why are you doing this? He said: 'I don't know'. Pretty sure this is a shared psychosis with our more destructive adversary in the story above.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.