The cloud firm Cloudzy has come under scrutiny for its alleged support of advanced persistent threat (APT) operations.
In a new report published today, the Halcyon Research and Engineering Team said that Cloudzy, operating as a legitimate business, has been playing a pivotal role in facilitating cyber-criminal activities, including ransomware attacks.
According to Halcyon’s findings, Cloudzy’s platform appears to be abused for various attack campaigns, potentially without their knowledge. However, the firm reportedly serves as a crucial pillar in the attack apparatus utilized by some of the most sophisticated threat actors in the world.
“This is what the modern hosting provider for the dark web looks like. The dark web has a myriad of actors, not all of which are pure cyber-criminals,” explained Tom Kellermann, SVP of cyber strategy at Contrast Security.
“We must remember that the economy of scale of the dark web rivals that of Silicon Valley, and it is composed of cybercrime cartels who also manage the infrastructure that allows it to flourish. I hope the FBI disrupts and takes down this nefarious hosting provider.”
The Halcyon report identifies two previously undisclosed ransomware affiliates, Ghost Clown and Space Kook, using the BlackBasta and Royal ransomware strains, respectively.
Read more on BlackBasta: Yellow Pages Canada Hit by Cyber-Attack, Black Basta Claims Credit
These affiliates are traced back to Cloudzy, which operates under an American-based façade but, as per Halcyon’s evidence, is believed to be running its operations from Tehran, Iran, raising concerns of possible violations of US sanctions.
“This reminds me of the Solarwinds attack against US Federal and private sector infrastructure. The attack was widely attributed to Russia, who used US-based Amazon Web Services (AWS) as their command-and-control provider (C2P),” said Rosa Smothers, SVP of cyber operations at KnowBe4.
“In both cases, the provider couldn’t possibly be expected to have eyes on these threat actors’ activities due to contractual privacy agreements with their customers as well as the use of encrypted data, which prevents cloud service providers’ insights into the customer interactions.”
Regardless, the report reveals connections to at least 17 APT groups linked to various governments, including China, Iran, North Korea, Russia, India, Pakistan and Vietnam, along with a sanctioned Israeli spyware vendor known for targeting civilians.
The research urges readers to be vigilant and use the indicators of compromise (IoC) provided in the report to scrutinize their networks for any malicious activity tied to Cloudzy.
Infosecurity has reached out to Cloudzy for clarification. The company replied by saying that while the investigation is ongoing, they do not have any comments or statements to provide. Once its internal investigation is complete, Cloudzy said it intends to issue an announcement to address the matter.
UPDATE: This article has been updated on August 3, 2023, to reflect Cloudzy' reply to our initial message.