A command-and-control-provider (C2P) called Cloudzy is alleged to have been delivering the bandwidth and technical infrastructure for multiple APT groups from China, Iran, North Korea, Russia, India, Pakistan and Vietnam to conduct ransomware activities.
While Cloudzy claims to be an American-based company, Halcyon said in an Aug. 1 blog post that its researchers assessed that the C2P actually operates out of Tehran, Iran, possibly in violation of U.S. sanctions.
The researchers also said that the actors that have used Cloudzy include a sanctioned Israeli spyware vendor whose tools are known to target civilians, and several criminal syndicates and ransomware affiliates.
Dive into the report, and readers will see a “Who’s Who” of APT groups, including APT 10 from China, Kimsuky from North Korean, and Nobelium and Turla from Russia. Also named in the Halcyon report are two ransomware affiliates dubbed Ghost Clown and Space Kook, which use the BlackBasta and Royal ransomware strains, respectively.
In a Reuters report, Cloudzy CEO Hannan Nozari disputed Halcyon’s allegations, saying his company can’t be held responsible for its clients, of which he estimated only 2% were actually malicious.
In an exchange over LinkedIn, Nozari told Reuters: “If you are a knife factory, are you responsible if someone misuses the knife? Trust me I hate those criminals and we do everything we can to get rid of them.”
The introduction of the C2P concept into the threat landscape continues a trend of reducing friction for attackers, explained Ian Todd, detection engineer at Critical Start. Todd said it offers threat actors of all technical levels and geographies an additional option for setting up, maintaining, and tearing down attack infrastructure anonymously and without the commitments that come with self-hosted operations. Todd said this class of service provider, when combined with ransomware-as-a-service and initial access brokers, enables a full suite of choices for malicious organizations that wish to engage in cybercrime or cyberespionage while limiting their exposure.
“The revelation that threat actors of all sizes, capabilities, and origins can and do use shared infrastructure from C2P providers could make attack attribution more difficult,” said Todd. “On the other hand, when a service provider like Cloudzy is identified, it can serve as a point of focus for defenders. The research lists a number of helpful indicators that could provide an outsized positive effect because hunting for or blocking them has the potential to prevent or alert on attacks from multiple unrelated groups.”
Joe Saunders, chief executive officer at RunSafe Security, added that Cloudzy and C2Ps prove economics work in favor of the attackers. Having access to anonymous infrastructure at a low price is one leg of the soft underbelly of cybersecurity, said Saunders.
“The other leg is the insidious set of memory-based vulnerabilities in code, allowing attackers to take control of systems and devices remotely,” said Saunders. “If we solve these issues, the cost of an attack goes way up for the bad actor and the successful attacks will go down.”