Researchers at cybersecurity startup Halcyon has unmasked an Iranian-run company providing command-and-control services to more than 20 hacking groups, including ransomware operators, spyware vendors, and state-sponsored APT actors.
The company, identified as Cloudzy, is registered in the United States, but Halcyon believes that it is operated out of Tehran, Iran by an individual named Hassan Nozari, likely in violation of US sanctions.
In a research note published on Tuesday, Halcyon said the ISP acts like a command-and-control provider (C2P) for various types of threat actors, advertises its services as protecting user anonymity, and does not appear to respond when malicious activity is brought to its attention.
The company said Cloudzy only requires a working email address for registration, never verifies the identity of customers, and accepts anonymous payment in cryptocurrencies. Although its terms and conditions prohibit the use of its services for illicit activities, Halycyon found that the cloud provider asks abusers to pay a nominal fee to continue operations.
Halcyon said it discovered that more than half of the servers hosted by Cloudzy appear to directly support malicious activities, mainly on infrastructure loaned from a dozen other ISPs.
“Our research assesses that Cloudzy’s RDP services, and nearly all malicious activity we identified were principally run from the IP space owned by other Internet service providers,” Halcyon said.
During a 90-day analysis of Cloudzy’s services, Halcyon discovered attack infrastructure associated with hacking groups tied to Chinese, Iranian, Indian, North Korean, Pakistani, Russian, and Vietnamese governments, by the sanctioned Israeli spyware vendor Candiru, and by cybercrime rings and ransomware groups.
The investigation revealed the existence of two previous unreported ransomware groups that rely on Cloudzy as a C2P — Ghost Clown (seen deploying Cobalt Strike implants and Conti and BlackBasta ransomware) and Space Kook (relies on Cobalt Strike and the Quantum Locker and Royal ransomware).
Halcyon also discovered that Cloudzy is a company registered in the United States, although it has no physical office in space in the country. Digging further, it identified a connection with the Iranian firm abrNOC, both allegedly founded by Hannan Nozari, who the company traced to Tehran, Iran.
The researchers identified eight other individuals who appear to be employed at Cloudzy but are in Iran, and discovered a crossover between some of them and employees of abrNOC.
The Halcyon investigation revealed that Cloudzy only exists on paper, with its so-called employees being the employees of abrNOC in Tehran. Some Cloudzy bloggers are either made up or employees of abrNOC.
“Halcyon therefore assessed with high confidence that C2P Cloudzy is almost certainly a cutout for the actual hosting company, abrNOC, operating out of Tehran, Iran,” the cybersecurity firm added.
Related: Ransomware Attacks on Industrial Organizations Doubled in Past Year
Related: Iranian Cyberspies Target US Think Tank With macOS Malware
Related: ‘Asylum Ambuscade’ Group Launch Cybercrime, Espionage Campaigns