A virtual server company apparently based in the US has been accused of hosting infrastructure for more than a dozen ransomware and nation-state hacking groups.

First reported by Reuters, researchers at Texas-based Halcyon said a company called Cloudzy had been leasing server space and reselling it to no fewer than 17 different state-sponsored hacking groups from China, Russia, Iran, North Korea, India, Pakistan, and Vietnam.

In the report Cloudzy with a Chance of Ransomware, Halcyon described Cloudzy as a new part of the ransomware supply chain; the Command-and-Control Providers (C2P) who – “knowingly or not” - provide services to attackers while assuming a legitimate business profile. C2Ps could be an alternative to bulletproof hosting services, which offer hosting in jurisdictions lenient towards cybercrime, especially those targeting other nations.

“Cloudzy - which accepts cryptocurrencies in exchange for anonymous use of its Remote Desktop Protocol (RDP) Virtual Private Server (VPS) services – appears to be the common service provider supporting ransomware attacks and other cybercriminal endeavors,” the cybersecurity company said.

Founded in 2008, Cloudzy reportedly offers services from 15 data centers globally including from facilities in the US, UK, Germany, Netherlands, and Singapore.

Halcyon said it had observed “a pattern of consistent use or abuse of Cloudzy servers by more than two dozen different threat actors over several years.”

Threat actors reportedly found to have used Cloudzy infrastructure include Israeli commercial spyware vendor Candiru, Iranian state-affiliated groups Oilrig/APT34 and Elfin/APT33, North Korea-linked Cagey Chameleon/BlueNorof and Kimsuky, Russia-linked Nobelium/APT29 and Turla, China-affiliated APT10 and several ransomware groups.

Halcyon also noted that although Cloudzy (previously known as Router Hosting) is incorporated in the United States, it is “almost certainly” a front for another Internet hosting company called abrNOC, which operates out of Tehran, Iran – in possible violation of US sanctions.

Speaking to Reuters, Cloudzy CEO Hannan Nozari disputed Halcyon’s assessment, saying that his firm couldn’t be held responsible for its clients, of which he estimated only two percent were malicious, compared to Halcyon’s estimated 40-60 percent.

“If you are a knife factory, are you responsible if someone misuses the knife? Trust me I hate those criminals and we do everything we can to get rid of them,” he said.

Nozari said Cloudzy and abrNOC are separate companies, although he acknowledged that abrNOC employees helped with Cloudzy’s operations.

“We recommend that all US entities or people doing business, wittingly or not, with C2P Cloudzy / Router Hosting, including Cloud Peak Law and ARIN, pause to consider the potential legal implications of their continued association with that company,” Halcyon said.

In 2021 it was reported that an Iranian malware campaign attacking targets across the world was being hosted out of Dutch data centers. A C2 server for the Foudre spyware was discovered in the Netherlands by BitDefender. The server was being hosted by American hosting company Monstermeg, which provides services out of Evoswitch’s AMS1 Amsterdam data center in Haarlem.

Update: In reply to Halcyon's report, Cloudzy provided the following statement:

Cloudzy is deeply concerned, and surprised, by the allegations made by HalcyonAI in their recent publications. Cloudzy does not believe that the research is accurate, and it lacks the requisite substantiation and justification.

First, Cloudzy wants to state unambiguously that we do not cater to nor welcome any malicious activity on our infrastructure. Second, Cloudzy wants to re-emphasize that we comply with all applicable laws, including those related to export control.

Cloudzy is committed to promptly responding to, and remediating, reports of abuse that may occur on our infrastructure. Cloudzy has numerous policies and technical controls to identify and prevent malicious activity as well as ongoing plans to augment these efforts. Abuse of our system is considered a breach of our policies and treated as such.

Further, it is imperative that we do not criminalize the provision of technology-neutral infrastructure, simply because there are malicious actors seeking to do harm.

Our infrastructure provides the ability for thousands of small, medium, and large businesses to conduct legitimate activities at a competitive price.it is imperative to address sensitive subjects such as cyber security with a focus on collaboration and without any ulterior motives. Creating an adversarial atmosphere is incompatible with achieving the common goal of ensuring a secure and safe digital environment.