Exchange attack attributed to known hacker group

Exchange attack attributed to known hacker group

A “known ransomware group” is behind an attack that Rackspace Technology Inc. forced to shut down part of the cloud computing company’s services 11 days ago.

In the first interviews since the attack was reported, company executives and an outside adviser working on the response said they expected their investigations to be completed this week and that they were still trying to recover customer data. This includes archived email, contacts and calendar items stored in Rackspace’s hosted Exchange system.

The company did not identify the attackers, disclose what they were after, or say whether Rackspace was paying a ransom to access the returned information.

“We’re not talking about the ‘who’ right now because we’re working with the FBI and because the investigation is ongoing,” said the adviser, who spoke on condition of anonymity. But he described it as “a criminal, financially motivated group – a known ransomware group.”


Rackspace’s reputation that took a hit in response to ransomware attack falls short of customer hopes

Also unclear is how the attackers gained access to Rackspace systems.

It hired Austin-based cybersecurity firm CrowdStrike to help with its response and determined that the breach was isolated to its hosting exchange business and no other products or customers were affected.

Karen O’Reilly-Smith, chief security officer, said the company’s internal investigation should be completed this week and that the FBI has been notified of the breach. The agency would not confirm or deny that it was investigating.

It is unknown whether Rackspace will close the hosted Exchange line of business, said Josh Prewitt, chief product officer. The business generates about $30 million in annual revenue, about 1 percent of Rackspace’s total annual revenue. For the past year, Prewitt said, the company has discussed eventually moving those customers to Microsoft 365, the Rackspace competitor’s service that customers were directed to during the outage.

“It’s still TBD,” Prewitt said of continuing the service. “Right now the main priority is how do we get customers’ data back into their hands?”

‘That’s What Matters’

Earlier in the outage, customers described spending hours on hold for customer service, difficulty understanding instructions to move to Microsoft 365 without support, and poor communication by Rackspace about the outage status. Some said they planned to cancel; some have filed class action lawsuits.

The response was slower than Rackspace wanted because it took time to train employees on how to help customers and “raise” staffing levels, Prewitt said. By Dec. 4, the company said more than 1,000 of its employees were working with customers, and a few days later said it had teamed up with Microsoft’s support team to help reduce long wait times.

Over the weekend, Rackspace said two-thirds of its customers were able to send and receive email again through Microsoft 365. By early Monday afternoon, Prewitt said, there was no line of customers waiting for help.

He declined to specify how many customers were affected.

“As long as it’s more than one, that’s what matters,” Prewitt said. “We continue to keep all of our support teams up and staffed so that we can reduce this hold time.”

Rackspace said it became aware of problems with its hosted Microsoft Exchange platform early on Dec. 2, when customers reported having problems sending and receiving emails. Many of those affected are small and medium-sized businesses that use Exchange for email, calendar, and contact functions.

Rackspace first said via a status update that it was investigating “connectivity and login issues.” Hours later, it said a “significant failure” had led it to shut down the system.

The company then told customers to move to Microsoft 365 — but all over again without archived email or other information.

“We made the decision that it was important to take care of our customers and to help our customers gain access to be able to send and receive email,” Prewitt said. “It was a no-brainer to say, ‘Hey, the right thing for customers is that we encourage them to move to Microsoft 365.’

Early on Dec. 6, Rackspace said it had determined that a ransomware attack caused the outage.

In such an attack, malicious software is used to deny access to computer systems or data until a ransom is paid. Attackers usually demand payment in the form of cryptocurrency in exchange for releasing the files and systems.

In general, victims of ransomware attacks are advised not to pay a ransom. The FBI says doing so could lead to more attacks and does not guarantee that data will be recovered.

Prewitt acknowledged Rackspace is cautious about what it shares with the media and shareholders about the attack.

“We don’t want to step back,” he said.


One of customers’ biggest concerns is accessing years of archived emails. Some customers also subscribe to the company’s email archiving service, Prewitt said, and have received instructions on how to retrieve those archives.

Another option being tried is to determine if customers access their email via a mobile app or a computer that stores local backup copies and, if so, show them how to export them. Rackspace is also working with affected customers to find out if they set up mailing rules, such as forwarding a copy of their emails to another account, that can be retrieved.

Prewitt estimated that more than three-quarters of customers now access their data through one of those channels.

“If they take out, we try all three and nothing works, then we work with customers to recover data as quickly as possible,” he said. “We don’t have a timeline on when that will happen.”

Prewitt rejected the notion advanced by some customers and former Rackspace employees since the attack became public that layoffs affected the company’s security or slowed its response to the attack. The company has about 7,000 employees, he said, which is more than when he joined nearly 13 years ago.

Other violations?

Some leaders in San Antonio’s tech community also claimed this is not the company’s first major cyber attack. O’Reilly-Smith responded by saying it “has not suffered any significant cyber breach” since she joined the company in June 2019.

Some incidents don’t rise to the level of being reported to regulators, the company’s outside counsel said. Rackspace, a publicly traded company, reported the attack on December 2 to the US Securities and Exchange Commission.

“Incidents happen all day, every day at every company. There isn’t a company that doesn’t have to deal with incidents on an ongoing basis,” he said. “There are some things that occur in an environment that will literally happen and affect no one. If you got into a place where everyone was reporting on this all the time, they would never stop.”

Why did Rackspace report this attack? The managers and adviser said it was because this one “had an operational impact and we had to go out immediately and tell our clients, help our clients move, assist the clients.”

Rackspace has insurance that covers cyberattacks and Prewitt said the financial hit from the attack is expected to be “very small.”

The company’s stock has taken a hit since the attack was reported. Rackspace shares closed Tuesday at $3.28, down more than 30 percent from Dec. 2, before the company acknowledged the attack.

[email protected]

Leave a Reply

Your email address will not be published. Required fields are marked *