How ProtonMail’s Recent Troubles Illustrate the Ethics of Malicious Hacking

And, perhaps, the impunity of nation states

SANLIURFA, TURKEY - OCTOBER 20: (TURKEY OUT) An explosion rocks Syrian city of Kobani during a reported suicide car bomb attack by the militants of Islamic State (ISIS) group on a People's Protection Unit (YPG) position in the city center of Kobani, as seen from the outskirts of Suruc, on the Turkey-Syria border, October 20, 2014 in Sanliurfa province, Turkey. According to Foreign Minister Mevlut Cavusoglu, Turkey will reportedly allow Iraqi Kurdish fighters to cross the Syrian border to fight Islamic State (IS) militants in the Syrian city of Kobani while the United States has sent planes to drop weapons, ammunition and medical supplies to Syrian Kurdish fighters around Kobani. (Photo by Gokhan Sahin/Getty Images)

Plus: what an attack’s size reveals about the attackers. (Photo: Gokhan Sahin/Getty Images)

As hacking becomes less a hobby and more an industry, a funny thing has happened: hackers want to be seen as honorable (after a fashion) criminals that keep their commitments.

“Cyber attacks are increasingly part of cyber crime. They need to have a good reputation,” Ben Johnson, Chief Security Strategist for Bit9 + Carbon Black, an endpoint security firm, told the Observer via phone. “Even though they are committing crimes, if people think ‘You know what, if I pay them $1,000, but then it’s still unlikely they will stop attacking my site,’ then word is going to spread that those hackers are not credible. And they won’t get paid.”

Radiolab did a recent story about a woman whose computer got hacked and how her attackers even seemed to show a bit of compassion toward the end.

This warped business ethic was on display in the recent distributed denial of service (or DDoS) attack on Switzerland’s ProtonMail, which took the site offline for about five days. It’s worth noting here that the secure email provider was never breached (that is, the hackers never got inside the system), but they did manage to prevent other people from using it. ProtonMail opted to pay up, but the hacks resumed anyway, and became more ferocious. The original hackers were aghast to realize that they appeared to have faulted on their commitment, as the service provider details in a blog post.

That first wave, known as “the Armada Collective,” left several notes on the block chain to disavow the subsequent assault:

  • “Somebody with great power, who wants ProtonMail dead, jumped in after our initial attack!”
  • “We have no such power to crash data center and no reason to attack ProtonMail any more!”
  • “We are not attacking ProtonMail! Our attack was small, directed at their IP only and lasted 15 minutes only!”

The second attack was much more sustained and sophisticated. Mr. Johnson told us that this follow-on assault has a certain logic, saying, “If someone else is attacking a company that you really want to get into, you just follow and try to blend in.”

ProtonMail argues that the second adversary was so sophisticated that it could have been some sort of state-level actor. “The second group caused the vast majority of the damage, including the downing of the datacenter and crippling of upstream ISPs, exhibiting capabilities more commonly possessed by state-sponsored actors.” the blog post reports. “They never contacted us or made any ransom demands.”

Security guru Troy Hunt, the creator of HaveIBeenPwned, the leading site for checking to see if you were exposed in a breach, agreed.

“Nation states have both the motivation to take anonymity and privacy services offline as well as the resources to mount a prolonged attack like this,” Mr. Hunt wrote the Observer in an email. “We’ve seen similar incidents such as DDoS attacks against GitHub originating from China against projects designed for circumventing government monitoring. So yes, it’s certainly feasible that it could be state sponsored.”