Cloudzy, an alleged American company with roots in Iran, has been accused of providing command-and-control services to more than 20 nation-state actors and prominent ransomware gangs. In a recent report released by security vendor Halcyon, it was revealed that Cloudzy serves as a command-and-control provider (C2P) for advanced persistent threat (APT) groups associated with governmental entities in China, Iran, North Korea, Russia, India, Pakistan, and Vietnam.
According to Halcyon’s research, approximately 60% of Cloudzy’s activity is malicious in nature. The service provider accepts cryptocurrencies as payment in exchange for the anonymous use of its Remote Desktop Protocol (RDP) Virtual Private Server (VPS) services. The APT groups that utilize Cloudzy’s services are primarily connected to Iran, including APT 34, also known as Muddy Water and OilRig; APT 33, also known as Elfin; and the Bohrium/RealDoll group. Additionally, other Cloudzy customers are linked to ransomware attacks on hospitals and healthcare organizations, as well as spyware development and distribution.
CEO and co-founder of Halcyon, Jon Miller, emphasized the importance of know your customer (KYC) protocols in the financial services industry. Major internet service providers (ISPs) typically engage in extensive KYC and fraud detection procedures. While Cloudzy may have had no knowledge of the malicious traffic running through its infrastructure, Halcyon’s report argues that significant damage still occurred as a result of the company’s policies.
Halcyon attempted to raise awareness of how Cloudzy’s infrastructure was being exploited by contacting the company via email. However, Cloudzy reportedly brushed off the concerns, prompting further investigation. Halcyon discovered separate business registrations for Cloudzy in Wyoming, New York, and Nevada. Furthermore, the investigation into Cloudzy’s employees revealed individuals who either worked in Tehran or appeared to have fictitious identities. Eight employees were identified, all claiming to have attended Iranian universities. It was also found that there was overlap between Cloudzy employees and individuals occupying the same positions at the Iranian company abrNOC.
Interestingly, both Cloudzy and abrNOC started serving customers in 2008 and offered similar hosting and VPS services. This parallel raises suspicions about the true nature of Cloudzy, with Miller suggesting that the company presents itself as a legitimate American business while actually operating as an Iranian entity. Consequently, any actions taken by Cloudzy would likely fall under Iranian law rather than American law.
Halcyon’s report highlights the lack of responsibility placed on C2Ps regarding their customers’ activities. Providers are not required to inquire about their customers’ identities or the purposes for which they use the infrastructure. This creates a liability loophole akin to a taxi driver unknowingly driving a bank robber to a bank and subsequently being questioned about their responsibility for the crime committed.
The allegations against Cloudzy underscore the complex and evolving nature of cyber threats. As government-backed APT groups and ransomware gangs continue to exploit such command-and-control services, it is imperative for security vendors, researchers, and law enforcement agencies to collaborate and address these challenges effectively.