A well-known US web hosting company has been found to be providing its services to more than 20 state-sponsored hacking groups, including those working for China, North Korea, and Russia.
Cybersecurity researchers from Halcyon reported a company called Cloudzy was either “knowingly or unwittingly” providing its servers for command-and-control functionality to well-known state-sponsored hacking collectives. Among its customers are APT10 (China), Kimsuky (North Korea), Turla, Nobelium, and FIN12 (Russia).
Other groups, the researchers further claim, include those working for Iran, Pakistan, Vietnam, and even Israel. An Israeli company named Candiru made its way on the list. It’s a firm selling smartphone spyware to governments and was, according to TechCrunch, blacklisted by the U.S. government in 2021 for activities that undermined the country’s national security.
Roughly half of all of Cloudzy’s servers were used for malicious work, the researchers added.
Deeper investigation also uncovered that Cloudzy’s management went to lengths to stay hidden. The company claims to work from New York City and is registered in Wyoming, however its support phone number leads to Las Vegas. Halcyon claims, with “high confidence”, that the people that set up Cloudzy only did it to create a front for AbrNOC, an Iranian cloud hosting company. Both firms have the same logo (albeit in different colors) and the employees listed on both websites are the same (both made up names, the researchers claim). The CEO of AbrNOC is apparently called Hannan Nozari, and his Twitter bio shows him as a founder both web hosting companies, it was said.
While TechCrunch’s journalists couldn’t get ahold of Nozari, Reuters allegedly did, and he told the agency Cloudzy wasn’t responsible for what its clients were doing and that the firm was doing “everything we can” to eliminate them. He added that only 2% of the company’s clients were malicious.
Analysis: Why does it matter?
To set up identity theft, or similar criminal campaigns, cybercriminals need infrastructure. They need servers to host malicious landing pages, and storage space to store and later analyze stolen data. Respectable web hosting agencies do not allow their customers to engage in malicious activities and have strict policies preventing users from creating malicious websites, landing pages, and more.
In this particular case, cybersecurity researchers stumbled upon a company that provided its services to two dozen nation-state actors. These are not your average cybercriminals. These groups count dozens of members (if not hundreds) and operate in a highly coordinated manner, usually for one goal – data harvesting and cyber espionage. State-sponsored threat actors are usually going after persons of high interest, such as politicians and diplomats, journalists, activists, scientists, and similar.
APT10, for example, was spotted back in 2019 exploiting the ZeroLogon vulnerability against companies in the industrial, automotive, pharmaceutical and engineering sectors, and located in Japan. Symantec, which discovered the campaign, found that the AP10 group employed a range of tools in the campaign, including network reconnaissance, credential theft, PowerShell scripts and RAR archiving. DLL side-loading was also used to inject a form of custom malware, dubbed ‘Backdoor.Hartip’.
In early June this year the FBI, together with a number of partner agencies, warned about Kimsuky impersonating journalists, academics, or other credible individuals, with the goal of enabling computer network exploitation against individuals employed by research centers, think tanks, academic institutions, and news media organizations. Turla, on the other hand, was recently dismantled by the FBI. It was said that it was stealing sensitive data from NATO for almost 20 years.
By disrupting their infrastructure, the researchers did two things – set the spies back significantly, and protected the privacy (and possibly even lives) of countless individuals. Furthermore, once law enforcement agencies seize the servers and see the contents stored there, they might get a better picture about these groups’ targets and goals.
This doesn’t mean the hackers were stopped – this is merely a setback. It won’t be long before they find a different service provider to abuse and host their malicious content on. But in any case, the discovery did stop them at least for a little while.
What have others said about the findings?
The news sent out ripples across the media, with multiple outlets reporting on the web hosting provider servicing criminals.
In its writeup, CSO Online stresses that Cloudzy allows its users to pay for the service in cryptocurrencies. While this is nothing new, and many privacy-oriented companies (VPN providers, for example) allow for the same thing, Cloudzy allows for payments to be made in Monero, which is a privacy coin. Monero is often used by cybercriminals because it’s extremely difficult to trace, and ransomware operators often demand that payment be made with this coin in particular.
If you want to learn more, make sure to check out our list of the best shared web hosting providers, as well as our guide for the best firewalls. You should also check out our guide for the best endpoint protection, as well as best VPNs right now.