Registered in Wyoming, but working from Tehran.
N2K logoAug 2, 2023

A company provides command-and-control services for ransomware gangs, and for nation-state APTs as well. It's nominally a Wyoming company, but in fact it's an Iranian operation.

Registered in Wyoming, but working from Tehran.

Researchers at Halcyon have published a report looking at command-and-control providers used by ransomware gangs. Specifically, the researchers point to the Cloudzy virtual private server (VPS) provider as “the common service provider supporting ransomware attacks and other cybercriminal endeavors.” Cloudzy is incorporated in the US, in the state of Wyoming, but the researchers believe the company “almost certainly operates out of Tehran, Iran – in possible violation of U.S. sanctions.”

C2-as-a-service (and APTs are the customers).

Halcyon's researchers conclude, “Threat actors that are assessed to be leveraging Cloudzy include APT groups tied to the Chinese, Iranian, North Korean, Russian, Indian, Pakistani, and Vietnamese governments; a sanctioned Israeli spyware vendor whose tools are known to target civilians; several criminal syndicates and ransomware affiliates whose campaigns have spurred international headlines.”

It's not bulletproof hosting, either. Bulletproof hosting providers at least profess to operate on the basis of a principled commitment to privacy, CyberScoop points out. Cloudzy has no such pretensions. "Cloudzy takes it a step further by appearing to be a normal company when it seems to be trying to hide its connections." They also, Halcyon notes, simply brush off complaints of abuse, something a legitimate company is unlikely, to say the least, to do.

There's a commonality to criminal and state activity. They draw upon many of the same tools, and used many of the same tactics, techniques, and procedures. Rosa Smothers, former CIA Cyber Threat Analyst and current SVP of Cyber Operations at KnowBe4, wrote, "This reminds me of the SolarWinds attack against US Federal and private sector infrastructure." (We note that this attack, to distinguish it from the company, SolarWinds, is often called "Sunburst.") Smothers added, "The attack was widely attributed to Russia, who used US-based Amazon Web Services (AWS) as their Command and Control provider (C2P). In both cases, the provider couldn't possibly be expected to have eyes on these threat actors’ activities, due to contractual privacy agreements with their customers as well as the use of encrypted data which prevents cloud service providers’ insights into the customer interactions."  

Tom Kellermann, SVP of cyber strategy at Contrast Security, wrote, “This is what the modern hosting provider for the dark web looks like. The dark web has a myriad of actors not all of which are pure cybercriminals. We must remember that the economy of scale of the dark web rivals that of Silicon Valley and it is comprised of cybercrime cartels who also manage the infrastructure that allows it to flourish. I hope the FBI disrupts and takes down this nefarious hosting provider.”