A DDoS, or distributed denial of service, floods a server with bogus requests, in this case preventing more than half a million legitimate users from accessing the email service.
The attack began on November 3. The attackers demanded a ransom of 15 BTC (around USD $5,600) to the Bitcoin address 1FxHcZzW3z9NRSUnQ9Pcp58ddYaSuN1T2y to stop the attack. The DDoS persisted for 15 minutes, then stopped.
The next day, however, a more powerful DDoS attack started, but with no new ransom demand, according to a statement by ProtonMail. ProtonMail paid up, assuming that both attacks were from the Armada Collective.
That no longer seems certain. The Armada Collective later publicly disavowed any connection with the second DDoS, writing in blockchain transaction comments on November 6, "Somebody with great power, who wants ProtonMail dead, jumped in after our initial attack!" and "We are not attacking ProtonMail! Our attack was small, directed at their IP only and lasted 15 minutes only!"
"ProtonMail is likely under attack by two separate groups, with the second attackers exhibiting capabilities more commonly possessed by state-sponsored actors."
ProtonMail worked with MELANI, a division of the Swiss federal government, to analyze the attacks. Unlike the first attack, which was fairly basic as DDoS attacks go, the second attack targeted weak points in the infrastructure of ProtonMail's ISPs.
"This second phase has not been observed in any other recent attacks on Swiss companies and was technically much more sophisticated," ProtonMail wrote in a statement.
"This means that ProtonMail is likely under attack by two separate groups, with the second attackers exhibiting capabilities more commonly possessed by state-sponsored actors," Andy Yen, co-founder of ProtonMail, said in an email. "It also shows that the second attackers were not afraid of causing massive collateral damage in order to get at us."
Documents leaked by Edward Snowden showed that GCHQ, the UK's spying agency, has engaged in DDoS attacks in the past. However, Yen did not offer any evidence a nation-state attacker was involved in this case.
"There is really no way to know," Nicholas Weaver, a researcher at UC Berkeley's International Computer Science Institute, wrote in an email. "A 100 Gbps DOS attack is significant but not that unheard of these days, and many criminal groups have that capability should they desire to launch a large DOS."
Matthew Prince, co-founder and CEO of Cloudflare, said the same. "It's not rocket science to launch these attacks," he said in a phone call. "When you look into who is behind a lot of these attacks, more often than not it turns out to be bored teenager kids."
The resources to launch such an attack, he said, were as little as a cheap server rental paid for in Bitcoin and a short script to automate the DDoS. Since would-be attackers can easily find such code online, pretty much anyone could engage in such an attack, making attribution extremely difficult, if not impossible.
"And once someone [like ProtonMail] has shown they're vulnerable to these attacks, others will pile on them," Prince added.
"When you look into who is behind a lot of these attacks, more often than not it turns out to be bored teenager kids."
"The Radware solution basically means we will have the ability to withstand very big DDoS attacks in the future directed against our infrastructure," Yen wrote in an email. "So incidents where we are taken offline for multiple days are now far less likely in the future."
To pay for the new infrastructure, ProtonMail raised more than $50,000 through the website GoFundMe over the last week.
"There are few service providers able to fight off an attack of this size and sophistication," ProtonMail's statement said. "These solutions are expensive and take time to implement, but they will be necessary because it is clear that online privacy has powerful opponents."
The DDoS attack on ProtonMail highlights just how vulnerable most internet infrastructure is and how difficult attributing these kinds of attacks can be.
"The full forensic analysis, involving teams from around the world who have offered to investigate with us, will take several weeks," Yen wrote. "Even then, it may not be possible to determine the origin of the attack."