Iranian internet service provider Cloudzy is allegedly providing infrastructure services to cybercriminals, including ransomware gangs, and at least 17 different state-backed hacking groups from China, Russia, Iran, North Korea, India, Pakistan and Vietnam, researchers at US-based cybersecurity firm Halcyon claim.
Although Cloudzy is registered in the United States, the researchers believe that it is operated out of Tehran, Iran, by an individual named Hassan Nozari likely in violation of US sanctions on Iran.
Halcyon says that the company acts as a command-and-control provider (C2P), which provides attackers with Remote Desktop Protocol (RDP) virtual private servers and other anonymized services. The researchers estimated potentially between 40% - 60% of the total servers hosted by Cloudzy appear to be directly supporting potentially malicious activity, including renting services to two previously unreported ransomware groups dubbed “Ghost Clown” and “Space Kook”, which use the BlackBasta and Royal ransomware strains, respectively.
The researchers say they identified more than two dozen different threat actors hosting command-and-control (C2) servers on Cloudzy infrastructure, including Chinese actors (PassCV, Operation Dragon Castling, APT10, BlackTech/Circuit Panda), Indian APTs (Bitter, Sidewinder), Iranian APTs (Elfin/APT33, Bohrium/ RealDoll), North Korean hackers (BlueNoroff, Konni, Kimsuky), Pakistani APT (Transparate Tribe), Russian APTs (Nobelium, Turla), Vietnamese Ocean Lotus/APT32, as well as Israeli spyware vendor Candiru and cybercriminal groups TA505/ TrickBot/EvilCorp/Wizard Spider, UNC2352 and FIN12.
At first glance, Cloudzy operates as a legitimate business, with Twitter and LinkedIn profiles. However, during the investigation, Halcyon identified a connection with the Iranian firm abrNOC, also allegedly founded by Hannan Nozari, who the company traced to Tehran.
The company said it also noticed a crossover between some of the Cloudzy employees and employees of abrNOC. It says that, in reality, Cloudzy only exist on paper and that it was staffed by employees of abrNOC in Tehran.
Cloudzy CEO Hannan Nozari disputed Halcyon's assessment, saying that his firm couldn't be held responsible for its clients, of which he estimated only 2% were malicious.
Cloudzy released an official statement regarding the matter:
Cloudzy is deeply concerned, and surprised, by the allegations made by HalcyonAI in their recent publications.
First, Cloudzy wants to state unambiguously that we do not cater to nor welcome any malicious activity on our infrastructure.
Second, Cloudzy wants to re-emphasize that we comply with all applicable laws, including those related to export control.
Cloudzy is committed to promptly responding to, and remediating, reports of abuse that may occur on our infrastructure.
Cloudzy has numerous policies and technical controls to identify and prevent malicious activity as well as ongoing plans to augment these efforts. Abuse of our system is considered a breach of our policies and treated as such.
Cloudzy does not believe that the research is accurate, and it lacks the requisite substantiation and justification.
Further, it is imperative that we do not criminalize the provision of technology-neutral infrastructure, simply because there are malicious actors seeking to do harm.
Our infrastructure provides the ability for thousands of small, medium, and large businesses to conduct legitimate activities at a competitive price.it is imperative to address sensitive subjects such as cyber security with a focus on collaboration and without any ulterior motives. Creating an adversarial atmosphere is incompatible with achieving the common goal of ensuring a secure and safe digital environment.
