Cloudzy Under Scrutiny for Alleged Support of APT Operations, Including Ransomware Attacks

Cloudzy [1] [2] [3] [4] [5] [6] [7], a prominent cloud firm with deep roots in Iran, is under scrutiny for its alleged support of advanced persistent threat (APT) operations [1], specifically in relation to facilitating cyber-criminal activities [1] [7], including ransomware attacks [1] [2] [7].

Description

Cloudzy [1] [2] [3] [4] [5] [6] [7], a command-and-control provider (C2P) [2] [3], is alleged to have provided the technical infrastructure for multiple APT groups from various countries to conduct ransomware activities [3]. Despite claiming to be an American-based company [3], researchers believe Cloudzy operates out of Tehran [3], Iran [1] [2] [3] [4] [5] [6] [7], potentially violating U.S. [1] [3] [7] sanctions [1] [2] [3] [5] [7]. The actors using Cloudzy include a sanctioned Israeli spyware vendor [3], criminal syndicates [3] [4], and ransomware affiliates [1] [3] [7]. Cloudzy’s CEO disputes these allegations [3], stating that only 2% of their clients are malicious [3]. The introduction of C2P providers makes it easier for threat actors to set up and maintain attack infrastructure anonymously [3]. This could make attack attribution more difficult [3], but also provides a point of focus for defenders [3]. Cloudzy and other C2Ps demonstrate the economic advantage for attackers [3], who have access to anonymous infrastructure at a low cost [3]. Addressing memory-based vulnerabilities in code would increase the cost of attacks and decrease their success rate [3].

Conclusion

The use of Cloudzy by various threat actors, including APT groups linked to governments such as China [4], Iran [1] [2] [3] [4] [5] [6] [7], North Korea [2] [4] [6], and Russia [4], highlights the need for increased vigilance and monitoring of networks for any malicious activity associated with the company. The fact that Cloudzy accepts cryptocurrency as payment and does not require real identity verification from customers raises concerns about the anonymity and potential misuse of its services. Additionally, the alleged violation of U.S. sanctions by operating out of Tehran, Iran [1] [2] [3] [4] [5] [6] [7], further complicates the legal and regulatory implications surrounding Cloudzy’s activities. Moving forward, it is crucial for organizations and governments to address the economic advantage that C2P providers like Cloudzy offer to attackers, and to implement measures to increase the cost and decrease the success rate of attacks.

References

[1] https://www.infosecurity-magazine.com/news/cloudzy-suspected-support-apt/
[2] https://www.darkreading.com/dr-global/iranian-company–host-ransomware-apt-groups
[3] https://www.scmagazine.com/news/cloudzy-delivers-cloud-services-to-multiple-apt-groups-researchers-say
[4] https://www.csoonline.com/article/648387/in-new-ransomware-model-cloud-provider-acts-as-front-for-bad-actors-report.html
[5] https://www.hackread.com/cloud-service-provider-cloudzy-ransomware-apts/
[6] https://securityboulevard.com/2023/08/cloud-providers-becoming-key-players-in-ransomware-halcyon-warns/
[7] https://cybersecurity-see.com/cloud-firm-investigated-for-alleged-support-of-apt-operations/