A little-known cloud company provided web hosting and internet services to more than two dozen different state-sponsored hacking groups and commercial spyware operators, according to researchers at cybersecurity company Halcyon.
In a report released on Tuesday, Halcyon said it had identified that the U.S.-registered company Cloudzy was “knowingly or unwittingly” acting as a command-and-control provider (C2P) to well-known state-sponsored hacking groups. C2Ps are internet providers that allow hackers to host virtual private servers and other anonymized services used by ransomware affiliates to carry out cyberattacks and extortion.
Halcyon said that the two-dozen groups that rely on Cloudzy include the China-backed espionage group APT10; North Korea-backed hackers Kimsuky; and Kremlin-backed groups Turla, Nobelium, and FIN12.
FIN12 was the subject of a joint FBI-CISA advisory in October 2020 after carrying out a spate of ransomware attacks targeting the U.S. healthcare industry. In its report, Halcyon said that Cloudzy — then doing business as Router Hosting — hosted at least 40 command and control servers used by FIN12 during its cyberattacks.
The list of groups facilitated by Cloudzy also includes hacking groups from Iran, Pakistan and Vietnam, along with Tel Aviv-based malware maker Candiru, which sells its phone-snooping spyware to government customers. Candiru was sanctioned by the U.S. government in 2021 for engaging in activities contrary to U.S. national security.
Halcyon says that about half of the total servers hosted by Cloudzy appear to be directly supporting malicious activity.
The cybersecurity firm concluded that although the cloud host is registered in the U.S., Halcyon says it has “high confidence” that the cloud host is as a cutout for AbrNOC, a cloud host that operates out of the Iranian capital of Tehran, which could put American customers in conflict with U.S. government sanctions.
Cloudzy, which claims to operate out of New York City, is registered in Wyoming, while a support phone number listed by the company is linked to a different address in Las Vegas. AbrNOC shares the same logo as Cloudzy, albeit in a different color, and also shares the same fictitiously named employees, according to Halcyon researchers. A man named Hannan Nozari is listed as abrNOC’s CEO and identifies himself as the founder of both web hosts companies in his Twitter bio, as well as a “Noob on the Internet.”
Nozari did not respond to messages sent by TechCrunch via LinkedIn and email, and TechCrunch was unable to reach anyone at Cloudzy via the number listed on the company’s website.
Reuters, which first reported the cybersecurity firm’s findings, said it had spoken to Nozari, who said that he was not responsible for his customers’ actions and that his company does “everything we can to get rid of them,” adding that he estimated only 2% of the company’s clients were malicious.
As noted by Halcyon, Cloudzy markets itself in a manner that “directly appeals not just to privacy enthusiasts, but also to threat actors.” The hosting provider only requires a working email address and an anonymous payment in cryptocurrency. Monero, a privacy coin favored by hackers, is supported.
The researchers also found that while Cloudzy’s website states that illegal activities are not allowed on its service and will result in immediate termination, a different section on its website says that if bad actors paid a nominal $250-100 fine, they might be able to continue to use their service.