An obscure cloud service company has been providing state-sponsored hackers with internet services to spy on and extort their victims, a cybersecurity firm said in a report to be published on Tuesday.
Researchers at Texas-based Halcyon said a company called Cloudzy had been leasing server space and reselling it to no fewer than 17 different state-sponsored hacking groups from China, Russia, Iran, North Korea, India, Pakistan, and Vietnam.
Cloudzy CEO Hannan Nozari disputed Halcyon’s assessment, saying that his firm couldn’t be held responsible for its clients, of which he estimated only 2 percent were malicious.
In an exchange over LinkedIn, Mr. Nozari told Reuters: “If you are a knife factory, are you responsible if someone misuses the knife? Trust me I hate those criminals and we do everything we can to get rid of them.”
Digital defenders say the case is an example of how hackers and ransomware gangs use small firms operating at the fringes of cyberspace to enable big hacks.
Halcyon estimated that roughly half of Cloudzy’s business was malicious, including renting services to two ransomware groups.
“It’s a rogues’ gallery on that through one provider,” said Halcyon executive Ryan Golden ahead of the report’s publication.
Halcyon arrived at its conclusion by mapping out Cloudzy’s digital footprint, in part by renting servers directly from the firm and by tying it to known hacking operations.
The cybersecurity firm CrowdStrike, which wasn’t involved in the research, said that it hadn’t seen state-sponsored hackers using Cloudzy. But it had seen other cybercriminal activity connected to it.
Cloudzy’s geographic base of operations is unclear.
Halcyon researchers analyzed Cloudzy’s employees’ social media, including LinkedIn and Facebook postings, and found the firm is “almost certainly” a front for another internet hosting company called abrNOC, which Mr. Nozari runs from Tehran.
Mr. Nozari, who says he lives outside Iran but would not be more specific, told Reuters the companies are separate, although he acknowledged that abrNOC employees helped with Cloudzy’s operations. He didn’t provide details.
Cloudzy is registered under its previous name, RouterHosting, in Cyprus and the U.S. state of Wyoming, according to corporate records reviewed by Reuters and confirmed by Mr. Nozari. He said the company needed U.S. domicile to be able to register internet protocol addresses in America.
It’s not clear whether Mr. Nozari’s registered agent—CloudPeak Law, a Wyoming law firm based in the small city of Sheridan—was aware of the allegations against its client.
A woman who answered at CloudPeak Law’s office confirmed that her firm was RouterHosting’s agent but said that, due to client confidentiality, “that is the extent of what anyone in our firm is going to be able to tell you.” The firm didn’t respond to a follow-up email.
Cloudzy’s business model is typical of several small virtual private server providers that rent internet hosting services in exchange for cryptocurrency, no questions-asked, said Adam Meyers, an executive with CrowdStrike.
“There’s a whole ecosystem of ne’er-do-well kind of folks who are in this business,” he said.
