ProtonMail names one of the attackers behind a major DDoS this summer

End-to-end encrypted email service ProtonMail has named one of the attackers behind a sustained distributed denial of service attack (DDoS) it suffered earlier this summer. The attack took its email service offline for up to several minute long stretches at a time, even with mitigation measures in place.

It says the UK’s National Crime Agency (NCA) arrested the teenager, George Duke-Cohan, who was a member of a criminal group called Apophis Squad, late last month.

“Earlier this week, the British National Crime Agency announced the arrest of George Duke-Cohan, also known by his aliases“7R1D3N7,”“DoubleParallax,” and, more recently, “optcz1,” it writes in a blog post published today.

“At ProtonMail, we unfortunately have to face off against cyberattacks on a daily basis. Over the course of this summer, no fewer than five separate groups have been conducting attacks against ProtonMail. Duke-Cohan was a key member of Apophis Squad, a criminal group which was involved in cyberattacks against ProtonMail.”

Earlier this week the 19-year-old pled guilty to making hoax bomb threats targeting UK schools.

ProtonMail founder Andy Yen tells TechCrunch it’s not clear what Duke-Cohan or Apophis Squad’s beef might have been with the encrypted email service — and according to its blog members of the group had in fact been users of the encrypted email service themselves — adding that “multiple threat actors were involved”.

“For DDoS specifically, we identified three separate threat actors this summer,” he tells us via email. “We have names/addresses for two of them now, including obviously George from Apophis.”

“Apophis was the least sophisticated threat actor, and from the attack traffic analysis, not related to any of the past or current threat actors we are contending with,” he continues, adding: “ProtonMail unfortunately is a popular target because we are well known as a highly hardened target, and there is a sizeable amount of “bragging rights” that comes with being able to cause us difficulty. This subsequently allows these threat actors to sell their “services” for more money or gain notoriety. Apophis likely falls into this category as they also subsequently took down the FBI’s mail servers.”

The group had also targeted cyber security journalist Brian Krebs’ website with DDoS attacks this year (among other targets), and blogging about the arrest Krebs — who collaborated with ProtonMail in tracking the hackers down — writes: “Unsophisticated but otherwise time-wasting and annoying groups like Apophis Squad are a dime a dozen. But as I like to say, each time my site gets attacked by one of them two things usually happen not long after: Those responsible get arrested, and I get at least one decent story out of it.”

The UK’s NCA seemingly got involved because in addition to DDoSing ProtonMail and Krebs’ website the group had been attacking government agencies in a number of countries.

And, well, bragging via Twitter that they were untouchable to the Feds…

ProntonMail says once law enforcement agencies got involved they filed MLAT requests asking ProtonMail to assist. Not that it would have been able to hand over much user data, given the e2e calibre of its encryption.

On that point Yen elides going into detail when we ask exactly what data it was able to pull from their accounts — saying only: “There is not a lot from ProtonMail actually, because all emails on our system are encrypted. However, there were plenty of clues elsewhere.

“Like with all criminal groups, they left traces across the Internet which our investigative team was able to uncover. This combined with the information we received from trusted sources in the infosec community and the requests from law enforcement, made it possible to connect the dots and make a conclusive identification.”

According to ProtonMail’s blog, it was able to conclusively identify Duke-Cohan as a member of Apophis Squad in the first week of August — and says it informed law enforcement on August 8.

However UK police did not move to immediately arrest Duke-Cohan — so through much of August ProtonMail’s service remained under DDoS attack (though it says it was able to mitigate this thanks to Radware’s counter DDoS efforts).

While still at liberty, Duke-Cohan managed to wreak further havoc — posing in another hoax call as the father of a distressed airline passenger on a United Airlines Flight from London to San Francisco flight, on August 9, claiming it had been hijacked and that there was a bomb on the plane.

ProtonMail says the plane, United Airlines Flight 949, was quarantined upon arrival in San Francisco and “extensively searched”. “This, combined with the fact that Apophis Squad had threatened to send bomb threats to UK schools when school started again in September, made it necessary for British police to take action,” it adds. 

Duke-Cohan was finally arrested on August 31 by officers from the NCA. And this week the U.K. teenager from Watford, near London, pled guilty to the airline and school hoaxes.

ProntonMail suggests further charges are pending — and “possible extradition to the U.S.”.

The two other entities Yen says also targeted ProtonMail for DDoS this summer remain unnamed for now.

But he couches them as “substantially more sophisticated and innovative”, adding that they pose “more grave threats to the internet community”.

“There were some techniques used that had never been seen out in the wild before and were more difficult to contend with. We were fortunate to be defended by Radware, as they were able to adapt to the new threats rapidly. We have confirmed one of these threat actors was financially driven and had been paid to attack ProtonMail,” he says.

“Because of the danger posed by these groups, we will actively work with law enforcement and other infosec professionals to track them down. A big part of this is sharing intelligence,” he adds, praising Krebs for assisting with information that was “instrumental for conclusively identifying the people behind Apophis Squad”.

“Going forward, we will continue to aggressively go after all groups who attack ProtonMail in order to protect our users,” he adds.