"This means that ProtonMail is likely under attack by two separate groups, with the second attackers exhibiting capabilities more commonly possessed by state-sponsored actors."
Unbelievable that they actually handed over $6000 to those criminals. No wonder they didn't stop the attack, they probably thought they could get more!
"This coordinated assault on key infrastructure eventually managed to bring down both the datacenter and the ISP, which impacted hundreds of other companies, not just ProtonMail.
At this point, we were placed under a lot of pressure by third parties to just pay the ransom, which we grudgingly agreed to do at 3:30PM Geneva time to the bitcoin address 1FxHcZzW3z9NRSUnQ9Pcp58ddYaSuN1T2y. We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless."
I understand the reasons but I'd prefer to not have access to my mail for a day than to give into these criminals. That said the damage probably easily exceeds $6000, I can understand other companies trying to pressure Protonmail.
Isn't the ISP/carrier ultimately responsible for mitigating these types of attacks? You rent a line and some IP addresses, not the garbage coming into their network.
I'd be interested to hear how Matthew Prince at Cloudflare would mitigate these NTP/SSDP amplification attacks.
While I agree they are a juicy target for nation states, without proof that claim rings hallow. Why would the NSA/Russians/Chinese want $6000 from Protonmail when all they'd have to do is use XKEYSCORE to filter out Protonmail users and hack computers to get the secret E-mail at layer 7. Shutting down the Protonmail doesn't help a nation state at all. They WANT to know who's sending/receiving encrypted E-mail. The second wave of the attack would be as simple as targeting the last few hops to protonmail. That's not rocket science. If extortion was the goal of a nation state, we'd all be broke.
This attack smells more of a sophisticated asshole blackhat haxor with some advanced tools and a knowledge of vulnerabilities in critical internet protocols.
"This means that ProtonMail is likely under attack by two separate groups, with the second attackers exhibiting capabilities more commonly possessed by state-sponsored actors."