Command-and-Control Providers (C2Ps) play a crucial role in facilitating ransomware attacks and state-sponsored APT operations, functioning as seemingly legitimate businesses while supporting threat actors. In one such case, the American internet hosting company Cloudzy is accused of enabling cybercrime, nation-state hackers, and a sanctioned spyware vendor.

Diving into details

An estimated 40% to 60% of the overall activity originating from Cloudzy is considered to be of malicious nature.
  • Halcyon's assessment reveals that Cloudzy is being utilized by various threat actors, including APT groups associated with the governments of China, Iran, North Korea, Russia, India, Pakistan, and Vietnam. 
  • Additionally, a sanctioned Israeli spyware vendor known for targeting civilians also employs Cloudzy's services. Criminal syndicates and ransomware affiliates, responsible for prominent cyber campaigns, are among the users of Cloudzy's platform as well.
  • Cloudzy functions as a C2P, offering hackers a convenient platform to launch attacks, obscure their online activities, and complicate attribution efforts. 
  • It accepts cryptocurrencies, providing anonymous access to its RDP Virtual Private Server (VPS) services.

Who operates Cloudzy?

  • Cloudzy is believed to be associated with abrNOC, a company located on Fatemi Square in Tehran. The blogs posted by Cloudzy are authored by individuals who either do not exist or are using fake names. 
  • Additionally, both companies' logos bear striking similarities, with Cloudzy's logo in purple and abrNOC's in blue, red, and green.
  • Halcyon confidently concluded that Cloudzy is highly likely to be a front for abrNOC, the actual hosting company operating from Iran.

Associated ransomware actors

  • Halcyon's analysis reveals connections between the ransomware operator "Space Kook" and an initial access broker called Exotic Lily, previously linked to Russian cybercrime group FIN12 and Conti ransomware. 
  • Cloudzy's malicious was associated with various state-aligned groups, including UNC2352, accused of Ryuk ransomware attacks on hospitals.

The bottom line

Cloudzy, as a C2P, is a key enabler for cybercrime and state-sponsored hacking operations. It operates under the guise of a legitimate company while supporting malicious activities. Mitigations include increased scrutiny and regulation of web infrastructure companies, enhanced tracking and attribution capabilities, and collaboration between cybersecurity researchers and law enforcement agencies to dismantle such networks effectively.
Cyware Publisher

Publisher

Cyware