ProtonMail, a Swiss-based end-to-end email encryption service, has announced the name of one of the attackers involved in the DDoS attack against the company earlier this year. Due to the attack, the email service of ProtonMail stopped responding for a minute several times despite having adequate mitigation measures in place.
The identified hacker, a teenager George Duke-Cohan, has been arrested by the National Crime Agency, UK. The hacker admitted to being a member of a criminal group Apophis Squad. Duke-Cohan is known by his online nicknames “DoubleParallax,” “7R1D3N7,” and “Optcz1.” He was amongst the most “vocal” members of the group that made headlines in 2018 several times for a number of DDoS attacks launched against websites including KrebsOnSecurity and Protonmail.com.
It is also reported that the members of the group were actively using ProtonMail themselves yet they attacked the company’s servers multiple times and even criticized the security of the company on social media. The 19-year old attacker pleaded guilty at Luton Magistrates Court for three counts of making fake bomb threats to schools in the UK.
Our network has been under sustained attack this morning. We are working with our upstream providers to mitigate the attack. Emails are delayed but will not be lost. Thank you for your patience.
— ProtonMail (@ProtonMail) June 27, 2018
According to Andy Yen, the founder of ProtonMail, it isn’t yet clear why the Apophis Squad or Duke-Cohan attacked the encrypted email service provider since the group itself was using the service. Yen also revealed that the company suspected involvement of multiple threat actors in the recent attack.
“For DDoS specifically, we identified three separate threat actors this summer. We have names/addresses for two of them now, including obviously George from Apophis,” Yen stated.
Yen believes that ProtonMail is targeted because the company is known for having strong encryption service and is deemed a reliable name in the industry when it comes to security. Therefore, being able to attack ProtonMail successfully gives the hackers an unequivocal right to brag about their skills and technical proficiency.
“This subsequently allows these threat actors to sell their “services” for more money or gain notoriety. Apophis likely falls into this category as they also subsequently took down the FBI’s mail servers,” said Yen.
The hacker group Apophis Squad is heavily inspired by another group of hackers, the Lizard Squad. The Lizard Squad is known for more or less the same reasons for which Apophis Squad is now gaining popularity. Lizard Squad, in fact, offered a DDoS-for-hire service, made hoax bomb threats to airlines, and launched DDoS attacks against many websites.
Feds cant touch us. NCA cant touch us. KEK we the big bois running around the internet with our 1337 bootnet! Come catch us we are untouchable! Living on TOR nodes and Open DNS. Smoking that good stuff with our bois at radware.
— APOPHIS SQUAD (@apophissquadv2) July 18, 2018
Eventually, all the members of Lizard Squad were arrested and charged for carrying out cybercrimes. It is worth noting that the Apophis Squad also offered DDoS-for-Hire service and it is hosted on the same server that hosts many of the domains used by the Lizard Squad.
ProtonMail explained how the company managed to track the hacker.
“In this endeavor, we were assisted by a number of cybersecurity professionals who are also ProtonMail users….By sifting through the clues, we soon discovered that some members of the Apophis Squad were, in fact, ProtonMail users. This was soon confirmed by a number of law enforcement agencies that reached out to us. It seemed that in addition to attacking ProtonMail, Duke-Cohan and his accomplices were engaged in attacking government agencies in a number of countries.”
Duke-Cohan was tracked through the digital trail in the first week of August and was formally arrested later. He will be receiving more charges and might get extradited to the US.