VFEmail, a privacy-focused email service provider to businesses and individuals, has been hit with what the company called “catastrophic destruction” unleashed by an unknown hacker whose intent appears not to be robbery or spying but a takedown of the operation.
Late on Monday, February 11, the attacker had wiped out VFEmail’s infrastructure, including backups, email hosts, virtual machine hosts, the VMs themselves and a SQL server cluster, in a smash job that the company said effectively killed nearly 20 years of data. (Here's an incident log.)
While the slash and burn attack has some of the makings of an inside job, the hacker’s motives aren’t clear. “At this time, the attacker has formatted all the disks on every server,” VFEmail owner Rick Romero tweeted. “Every VM is lost. Every file server is lost, every backup server is lost.”
A similar post showed up on VFEmail’s website: “!!ALERT!!!! Update Feb 11 2019. www.vfemail.net and mail.vfemail.net are currently unavailable in their prior form. We have suffered catastrophic destruction at the hands of a hacker, last seen as [email protected]. This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can.”
Shortly afterwards, Romero tweeted that he had caught a hacker in the act of formatting one of the company’s mail servers in The Netherlands. “This is all I can do at this time. I will need to get into the datacenter to see if the one file server I caught during formatting can be recovered. If it can, we can restore mail, but most of the infrastructure is lost.”
The first indication that something was amiss appeared early on Monday when the company’s Twitter account began receiving messages from users that their email wasn’t going through. VFEmail responded that its systems in “multiple data centers are down.” In another tweet, Romero questioned whether the attacker had control of more than one password, which would suggest an insider was involved: "If they all had one password, sure, but they didn't. That's the scary part," he tweeted. “Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via SSH exploit, and there was no ransom. Just attack and destroy.”
Why would hackers want to take down a small, anonymous email provider without an obvious motive? Might a nation-state attacker be involved? What data might have been on VFEmail’s servers that a bad actor might want to get their hands on or destroy? Might someone have a vendetta against the company or Romero?
“It looked like the IP was a Bulgarian hosting company,” Romero told KrebsonSecurity. “So I’m assuming it was just a virtual machine they were using to launch the attack from. There definitely was something that somebody didn’t want found. Or, I really pissed someone off. That’s always possible.”
Either way, Romero said the attack likely means the end for his company: “Yes, @VFEmail is effectively gone. It will likely not return. I never thought anyone would care about my labor of love so much that they’d want to completely and thoroughly destroy it.”
But maybe there are options still left to Romero. As of Wednesday, February 13, he posted that he’d engaged a “data recovery vendor to discuss options.” And, he left this note to users: "Consider your mailbox data to be lost, but we haven't given up yet."