The email provider VFEmail has suffered a cyberattack that has caused “catastrophic destruction.” A hacker with a Bulgarian IP address gained access to its U.S. servers and formatted them; destroying all data in its primary and backup systems. The attack started in the morning of February 11, 2019.
VFEmail issued a statement saying that all disks on its U.S. servers were formatted and all of its virtual machines, mail servers, and backup servers were lost.
The firm is currently trying to recover as much data as possible, but it fears that all user data stored on its U.S. servers have most likely been permanently lost. All users have been advised not to reconnect their local mail clients as this would likely result in all local copies of emails and email attachments also being lost.
The attack was discovered while it was in progress but not in time to prevent the loss of most of the company’s infrastructure. The attacker had started formatting VFEmail servers in the Netherlands when the attacker was traced and stopped. In that case, user data could be recovered from a backup server which survived the attack, although it is currently unclear how much of the user data on the server can be restored.
According to VFEmail, the attack did not appear to be financially motivated. No ransom demand was issued, and no prior threats were received. The attack appeared to be solely about sabotage. “This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy.”
This attack clearly demonstrates the importance of sound backup strategies, which include making multiple backup copies with at least one copy stored securely on a device totally separate from production data and not accessible over the Internet. The company did use off-site backup servers, but they were connected to the Internet.
It is currently unclear how access to the company’s server was gained. Multiple datacenters were affected by the attack and not all of the affected servers required the same authentication credentials. What is clear is that despite the fact that VFEmail advertised its email service as secure, not all vulnerabilities had been addressed. The company’s backup procedures have also been questioned as it should not have been possible for all user data to have been erased – Email data going back around 18 years is believed to have been permanently lost.
According to one business user in Florida, more than 60,000 sent and received emails from over 10 years were permanently lost.
Incoming mail is now being delivered, but it is looking likely that VFEmail may not be able to recover from the attack. To recover would mean totally rebuilding from scratch and rewriting a considerable amount of custom code.
As for the reason for the attack, it is pure speculation at present. It has been suggested that there may have been some data in emails that an individual or group wanted to be permanently removed. If that proves to be the case, the attackers appear to have succeeded.