A little-known American internet hosting company appears to be partially enabling a “wide range” of cybercrime, nation-state hackers and a sanctioned spyware vendor, researchers alleged Tuesday.
Additionally, the company known Cloudzy is “almost certainly a cutout” for a outfit operating in Tehran, according to an investigation by the cybersecurity firm Halcyon.
Halcyon’s analysis concludes that hosting company Cloudzy either knowingly or unwittingly provides a platform for illicit digital activity linked to China, Iran, North Korea, Russia, India, Pakistan and Vietnam. Furthermore, according to the researchers, Cloudzy’s infrastructure has been linked to Candiru, an Israeli spyware vendor sanctioned by the U.S. government in November 2021.
Cloudzy is one of an array of web infrastructure firms abused by criminals and state-backed hackers to carry out operations around the world, Halcyon noted. But unlike so-called bulletproof hosting providers, which claim to operate with a policy of customer anonymity out of a belief in privacy, Cloudzy takes it a step further by appearing to be a normal company when it seems to be trying to hide its connections, the research revealed.
Ransomware syndicates and state-aligned hacking operations take advantage of a robust ecosystem of malware developers, initial access brokers, cryptocurrency launderers, hosting providers and other entities to carry out their operations. According to Halcyon, Cloudzy is essentially a command-and-control provider (C2P), giving hackers a ready platform to launch attacks, obfuscate traffic and make attribution more difficult.
Cloudzy appears to be the work of abrNOC, according to Halcyon, a company with an address on Fatemi Square in Tehran. Its blogs are written by people who either don’t exist or are using fake names, Halcyon found. The headshot for one blog author named “Matt Schmitt,” for instance, is a stock image of a man standing in a server room. The two companies’ logos are nearly identical as well, with Cloudzy’s being one shade of purple while abrNOC’s is blue, red and green.
Halcyon concluded with “high confidence that C2P Cloudzy is almost certainly a cutout for the actual hosting company, abrNOC, operating out of Tehran, Iran,” the report read.
“Our report identified several areas of potential legal liability relating to the apparent operation of an Iranian business in the United States, which if substantiated would raise significant concerns in light of current sanctions requirements,” the report read, referring to federal regulations related to working with Iranian companies. Halcyon recommended that anyone doing business with Cloudzy “pause to consider the legal implications of their continued association with that company.”
Less than five minutes after CyberScoop sent an email to Cloudzy’s support email address, a message came back saying the query would not be accepted because it did not come from a recognized Cloudzy customer email address. Attempts to reach the company by phone Monday were unsuccessful; the line was busy each time.
Halcyon began investigating Cloudzy as it was looking into two previously unknown ransomware affiliates, who were using a third-party hosting service as part of their infrastructure, Jon Miller, Halcyon’s CEO and co-founder, told CyberScoop ahead of the report’s release.
“When we reached to the third party to let them know that their infrastructure was being abused,” Miller said, referring to Cloudzy, “they essentially brushed us off. That tipped us off that if they’re brushing off these types of abuse complaints, there’s probably a lot of abuse going on here.”
Cloudzy initially said it would suspend one of the accounts flagged by Halcyon, according to the report, “but then shortly reversed course,” referring Halcyon instead to one of a more than a dozen internet service providers that may be leasing IP space to Cloudzy.
Subsequent analysis of traffic related to Cloudzy — which operated as “RouterHosting” until 2022 — revealed that “at least 40% – 60% of activity leveraging Cloudzy services is malicious in nature,” according to the report.
Analysis of one of the ransomware operators — which Halcyon dubbed “Space Kook,” a reference to a Scooby Doo villain — showed connections to an initial access broker Google’s Threat Analysis Group dubbed Exotic Lily in a March 2022 report. Exotic Lily, in turn, had shown previous connections to a Russian financially-motivated cybercrime group known as FIN12, and the Conti ransomware group.
Analysis of malicious traffic leading back to Cloudzy showed what Halcyon described as “a staggering array of attack infrastructure which we, and others in the security community, recognized and associated with a wide range of threat actors.” The historic activity included hacking operations with ties to state-aligned groups in China, India, Iran, North Korea, Russia and Vietnam, the research showed. Some activity tied to a group tracked as UNC2352, which had been accused of attacking hospitals with Ryuk ransomware variant.
“C2Ps end up granting ransomware groups anonymous use of their infrastructure to launch attacks because, in the interest of privacy, they never bother to ask who their customers are,” the report read. “They are not required to. In this way, ransomware activity lines two sets of pockets – the criminals who deploy it and the service providers who turn a blind eye to them. In the case of Cloudzy, that blind eye missed a lot.”
Cloudzy, which claims to operate out of New York City, is registered in Wyoming under the name of a lawyer who provides registered agent services, while a support phone number is tied to an address in Las Vegas. A man named Hannan Nozari is listed as abrNOC’s CEO, and identifies himself as the founder of both companies in his Twitter bio, as well as an “Noob on the Internet,” a reference to being new and inexperienced online.
A message left for the attorney in Wyoming, as well as an email sent through the firm’s online portal, was not immediately returned. Nozari did not respond to a message sent via LinkedIn, but he told Reuters that he was not responsible for his customers’ actions and that his company does “everything we can to get rid of them.” Nozari also told Reuters that he estimated only 2% of his clients were malicious.
A statement provided by Cloudzy after publication said the company is “deeply concerned, and surprised, by the allegations made by HalcyonAI in their recent publications.” The company does “not cater to nor welcome any malicious activity” on its infrastructure, the statement read, and it complies with and follows all applicable laws.
“Cloudzy is committed to promptly responding to, and remediating, reports of abuse that may occur on our infrastructure,” the statement read.
“We recommend that Internet service providers learn a lesson from C2P Cloudzy and do a better job of knowing their customers,” Halcyon concluded. “For even if C2P Cloudzy had no knowledge of the high frequency and volume of the malicious traffic running through its leased infrastructure, significant damage was still done as a result of their policies. And the abuse of legitimate service providers will continue so long as ‘Internet noobs’ like Hassan Nozari allow criminals to act with impunity — all in the name of privacy.”
Updated, Aug. 14, 2023: This story has been updated to include comment from Cloudzy and a link to the statement posted to the company’s website.