Hackers Wipe US Servers of Email Provider VFEmail

Hackers have breached the severs of email provider VFEmail.net and wiped the data from all its US servers, destroying all US customers' data in the process. From a report: The attack took place yesterday, February 11, and was detected after the company's site and webmail client went down without notice. "At this time, the attacker has formatted all the disks on every server," the company said yesterday. "Every VM is lost. Every file server is lost, every backup server is lost. This was more than a multi-password via SSH exploit, and there was no ransom. Just attack and destroy," VFEmail said. The company's staff is now working to recover user emails, but as things stand right now, all data for US customers appears to have been deleted for good and gone into /dev/null.

There were NO offsite backups?????

[sconeu]

No offsite backups? No tapes????

Who designed the disaster plan for these guys?

Re:There were NO offsite backups?????

What has a higher chance of getting owned? A network accessible box wide open to the web, or a backup server that can only be accessed by SSH via a specific management VLAN?

Re:There were NO offsite backups?????

[rickb928]

It *is* a PITA to put a tape in your bag, open up the fireproof safe at home, throw it in, get the *correct* one out, put it in your bag, and remember the next day to put that where it needs to be. And repeat. /s

I did that for years. And I slept a little better.

Re:There were NO offsite backups?????

[rickb928]

Once you're in the front door, you're going through the system. Only offline backups can be trusted to 'be there'.

And no offline copies of the VM environment? I think of those as especially precious. DO I want to rebuild those from scratch? Nope.

Pull not push for backups.

[unkmar]

First onsite backup
Second offsite backup that pulls, not pushes.
- A push backup leaves a trace that there is a backup and to where it is being pushed.
- - Just track the push and wipeout the backup as well.
- A pull backup is only visible from the pulling location and, anyone inside that knows it exists.
- - No trail to trace and wipeout. If it is wiped out, Then it is clearly an inside job.
- - A pulling backup does mean the pulling system has access to the onsite backups.
- - - But the onsite backup can be isolated from the onsite system and data.
Conclusion:
- Onsite hack can wipeout onsite system and data and onsite backup. but not offsite backup.
- Offsite hack can wipeout onsite backup and offsite backup, but not onsite system and data.
- Internal knowledge required to hit both targets.

Re:You mean just the online backup servers...

[bobbied]

Also, depending on how nasty they were being, they might have lurked long enough to poison the offline backups too. People tend to not actually check them till something goes wrong.

AND, when they check, some 70% turn out to be insufficient or not restorable. Most turn out to be nearly useless for anything but giving you a warm fuzzy feeling as you trot them off to offsite storage.

Having a backup plan is one thing, TESTING your backup plan is the next level.... However, revising your backup plan and TESTING your backups are restorable on a regular basis is the only way to know it will work when the chips are down. IF you don't do all this work, it's NOT really backed up, regardless of how many tapes you put into storage.

Replication != Backup

[bodog]

Looks like ZFS replication may have been their backup plan? https://www.vfemail.net/design...

Re:No backup can be a feature

[Aighearach]

It would seem more practical to just limit the stored backups to the last n copies, like you do with rotated log files.

If it can only come back for two weeks or something, that is sufficient for most use cases.

Re:Sounds like a cleanup operation

If you're in a tight enough spot that you need to contact some hackers to annihilate an email company then you also probably don't have the time to wait around while they figure out if they can even get into that email company to do the job.

So:
1. They were already in and held the sword of Damocles over this company's head for a long time without them even knowing it just waiting for someone to fork over enough money to make it worth their while to let the sword fall
or
2. They had help from an insider employee-- which would have had to be tunneled in way beforehand (which costs much more than simply leaving the backdoor of Damocles in place)
or
3. There were no hackers, it was done by people at the company itself (i.e. CEO trying to evade indictment for insider trading or something)
or
4. Some kind of psychopathic rehearsal for a real cyber war? (no skin off, say, the Chinese Communist Party's nose if some Western email company gets splattered)

The real news here isn't that the company got whacked, but the whacking itself.
What purpose?
No ransom demand?
Why wipe all the servers instead of simply continuing to harvest data from them?
It's like a drug cartel nuking a city without warning. Cartels are in the business of making money. A glassed crater doesn't yield an income.
So as the parent post points out: there's something going on here besides some mean ole hacker-dashery.