Iranian Company Plays Host to Reams of Ransomware, APT Groups

Cloudzy is a command-and-control provider (C2P) to APT groups in Iran, North Korea, and Russia, according to Halcyon.

Cloudzy, purportedly an American company though one with deep roots in Iran, is alleged to be offering command-and-control services to more than 20 nation-state actors and top ransomware gangs.

According to recent research released by security vendor Halcyon, Cloudzy is a command-and-control provider (C2P) to advanced persistent threat (APT) groups tied to governmental entities in China, Iran, North Korea, Russia, India, Pakistan, and Vietnam.

Cloudzy With a Chance of Ransomware

Halcyon alleged that as much as 60% of Cloudzy's activity is malicious in nature, with the service provider accepting cryptocurrencies in exchange for anonymous use of its Remote Desktop Protocol (RDP) Virtual Private Server (VPS) services.

APT groups that use Cloudzy's services are related to Iran: APT 34, also known as Muddy Water and OilRig; APT 33, also known as Elfin; and the Bohrium/RealDoll group. Other Cloudzy customers are groups linked to ransomware attacks on hospitals and healthcare organizations, as well as spyware development and distribution.

Jon Miller, CEO and co-founder of Halcyon, says there is a usually a lot of KYC (know your customer) work done by ISPs, and major ISPs will do a lot of KYC and fraud detection. KYC is a series of guidelines and regulations in financial services that require professionals to verify the identity, suitability, and risks involved with maintaining a business relationship with a customer.

Halcyon's report claimed that even if Cloudzy had no knowledge of the high frequency and volume of the malicious traffic running through its leased infrastructure, significant damage was still done as a result of its policies.

Miller says Halcyon contacted Cloudzy via email to inform them of how its infrastructure is being used in these attacks. "Essentially, they brushed us off and that made us curious," he says. "So we dug into Cloudzy because it showed that they were doing something untoward. Why would you brush that off?"

As Halcyon dug deeper into the company's information, it found separate business registrations in Wyoming, New York, and Nevada.

When examining the employees of Cloudzy, Halcyon was able to discover people who either worked in Tehran, or appeared to be completely fictitious. They identified eight employees, all of whom said on their social media profiles that they had attended Iranian universities. There was also crossover of Cloudzy employees with people who had the same names and job functions as employees of the Iranian company abrNOC.

Coincidental or not, both Cloudzy and abrNOC started serving customers in 2008; both companies offered hosting and VPS services at their launch.

Miller says an issue here is that Cloudzy is an Iranian company posing as a legitimate American business. He says that any actions that Cloudzy were to take would fall under a local law "and that would be an Iranian law, rather than American law."

What Is a C2P?

The report claims that in the interest of privacy, providers are not required to ask who their customers are, and rarely find out who is using their infrastructure and for what. Miller likened it to the taxi driver who drives the bank robber to the bank, and asking how liable the driver is for the crime committed.

Halcyon's report claims C2Ps enjoy a "liability loophole" that does not require them to ensure that their infrastructure isn't being used for illegal operations.