Giant Datacenter Fire Takes Down Government Hacking Infrastructure

A fire at a European datacenter has had some impact on the infrastructure used by several government and criminal hacking groups, according to Kaspersky Lab.

Mar 10 2021, 6:39pm
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

On Wednesday, a massive fire destroyed a datacenter and caused damage in other server buildings owned by OVHCloud, the largest European cloud service provider. The blaze has impacted several of the company's customers—including hackers. 

According to Costin Raiu, the Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab, there are 140 OVH servers used by government hackers and sophisticated criminal groups that he and his colleagues track. Of those, 36% are now down, he said in a post on Twitter

Advertisement

Raiu said that there are several government hacking groups impacted, such as Charming Kitten and APT39, both believed to be linked to Iran; Bahamut, a hacking-for-hire group out of India; and OceanLotus, a group of Vietnamese hackers who recently used fake news websites to hack targets

Hacking groups often use commercial hosting providers such as OVHCloud to host their command and control servers, also called C&Cs or C2s in cybersecurity jargon. These are servers that hackers use to control their malware or send stolen data from victims. The fact that a fire in a server farm in France can impact the operations of hacking groups in Iran or Vietnam is a good reminder that while hackers operate online, they still depend on physical hardware in the real world. The fire at the OVHCloud datacenter also affected the the popular crafting and survival game Rust.

In any case, Raiu told Motherboard that the impact on the hackers' operation is likely "minimal."

"Most [Advanced Persistent Threats] and sophisticated crime groups run dozens of C2 servers. Obviously, nobody hosts all their C2s in the same place," Raiu said in an online chat. "APT groups generally have 2-3 C2s configured in each malware in order to mitigate risks such as takedowns or crashes." 

An error occurred while retrieving the Tweet. It might have been deleted.

The fire, though, shows how things we often think of as "cyber" have very real physical infrastructure that can be attacked, impacted by disasters, or otherwise messed with.

Matthieu Faou, a researcher from cybersecurity company ESET, said he could not confirm Raiu's findings. But "it is clear that [OVHCloud] is a hoster regularly used by many APTs groups." 

"I wouldn't be surprised that it took down some C&C servers," Faou said in an online chat.

Subscribe to our cybersecurity podcast CYBER, here.

Tagged:

cybersecurity, CYBER, Infosec, information security, OVHcloud

More
like this
Ransomware Gangs Are Starting to Hack Vulnerable Microsoft Exchange Servers
Ransomware Gang Fully Doxes Bank Employees in Extortion Attempt
Researcher Publishes Code to Exploit Microsoft Exchange Vulnerabilities on Github
Hackers Are Having a Field Day With AirTags
Why Cybersecurity Experts Hate TeamViewer, the Software Used to Tamper With Florida Water Supply
Microsoft Tries, Fails to Patch Critical Windows Vulnerability. Chaos Ensues
Bombshell Report Finds Phone Network Encryption Was Deliberately Weakened
Signal CEO Hacks Cellebrite iPhone Hacking Device Used By Cops