Cybercrime as-a-service , Fraud Management & Cybercrime

Hosting Provider Accused of Facilitating Nation-State Hacks

Researchers Allege Cloudzy Lacks Know-Your-Customer Safeguards, Operates From Iran
Hosting Provider Accused of Facilitating Nation-State Hacks
Image: Shutterstock

A little-known cloud infrastructure provider has been facilitating ransomware and nation-state attacks, reported cybersecurity firm Halcyon.

See Also: Check Kiting In The Digital Age

Hosting provider Cloudzy, formerly known as RouterHosting, bills itself as "your VPS hosting solutions in the clouds." A virtual private server provides customers with remote access to virtualized instances. Customers can pay not only with payment cards and PayPal but also with bitcoin, ethereum and monero.

A report by Texas-based cybersecurity firm Halcyon alleges that due to poor know-your-customer safeguards - or potentially just looking the other way - including by accepting payment via cryptocurrency, Cloudzy has been facilitating copious quantities of illicit online activity, comprising an estimated 40% to 60% of all its traffic.

The allegations, whether true or not, are a reminder that cybercrime doesn't operate in a vacuum. Rather, there's a burgeoning service and support ecosystem. Services include initial access brokers who provide on-demand access to victims, botnet owners who facilitate malware-laden phishing attacks, and repacking services that make malware tougher to spot. They also include ransomware-as-a-service operators who lease their code to business partners, the affiliates who use it to infect victims, and cryptocurrency money laundering services that help criminals - operating online or off - convert their ill-gotten gains into cash.

Cloudzy's Base of Operations

Online attackers require infrastructure for launching their attacks. Some make use of bulletproof service providers, which provide VPS and other types of hosting services in return for a promise, typically for a relatively high fee, that customers can do whatever they like.

Halcyon's report alleges that Cloudzy functionally operates in a similar manner, due to a lack of proper oversight, including allowing cryptocurrency-using customers to be able to remain anonymous.

The researchers said Cloudzy's customers in recent years have included more than two dozen apparently malicious groups, including:

  • Nation-state hackers: Advanced persistent threat groups tied to China, India, Iran, North Korea, Pakistan, Russia and Vietnam;
  • Commercial spyware: Israeli spyware vendor Candiru, which was sanctioned by the Biden administration in November 2021 for allegedly supplying spyware to foreign governments for use in targeting officials, journalists, activists, academics, embassy workers and others;
  • Ransomware: "Ghost Clown" and "Space Kook," which are respectively affiliates of the Black Basta and Royal ransomware strains;
  • Cybercrime: Multiple other criminal syndicates.

Cloudzy says it is based in Cypress and the U.S., and it lists its U.S. incorporation address as being in Wyoming, while technical support routes to Las Vegas.

Halcyon counters that the company "almost certainly" operates out of Tehran, Iran. An individual named Hannan Nozari is the self-described founder of both Cloudzy and Tehran-based abrNOC, which says on its website that it "started out with hosting and VPS services." Halcyon said many of the employees listed on Cloudzy's site appear to be fictitious, except for ones that also work for abrNOC. It surmises that abrNOC runs Cloudzy.

In an interview with Reuters, Nozari claimed he lived outside Iran - but wouldn't say where - and denied that half of the traffic handled by his site was malicious, saying it was more on the order of 2%. He also confirmed abrNOC runs some of Cloudzy's operations and said Cloudzy requires a U.S. business address to give it access to American IP addresses.

Nozari also claimed to not be intentionally supporting any type of cybercrime. "If you are a knife factory, are you responsible if someone misuses the knife? Trust me, I hate those criminals and we do everything we can to get rid of them," he told Reuters.

To help defenders protect themselves against attacks routed via Cloudzy, Halcyon has published a list of remote desktop protocol hostnames it traced to the hosting provider - it provides RDP access to VPS - and said that was how it had identified that over two dozen attack groups were using the service.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.