Giant Datacenter Fire Takes Down Government Hacking Infrastructure

A fire at a European datacenter has had some impact on the infrastructure used by several government and criminal hacking groups, according to Kaspersky Lab.
March 10, 2021, 6:39pm
ovh-fire
Image: PATRICK HERTZOG/AFP via Getty Images
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

On Wednesday, a massive fire destroyed a datacenter and caused damage in other server buildings owned by OVHCloud, the largest European cloud service provider. The blaze has impacted several of the company's customers—including hackers. 

According to Costin Raiu, the Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab, there are 140 OVH servers used by government hackers and sophisticated criminal groups that he and his colleagues track. Of those, 36% are now down, he said in a post on Twitter

Advertisement

Raiu said that there are several government hacking groups impacted, such as Charming Kitten and APT39, both believed to be linked to Iran; Bahamut, a hacking-for-hire group out of India; and OceanLotus, a group of Vietnamese hackers who recently used fake news websites to hack targets

Hacking groups often use commercial hosting providers such as OVHCloud to host their command and control servers, also called C&Cs or C2s in cybersecurity jargon. These are servers that hackers use to control their malware or send stolen data from victims. The fact that a fire in a server farm in France can impact the operations of hacking groups in Iran or Vietnam is a good reminder that while hackers operate online, they still depend on physical hardware in the real world. The fire at the OVHCloud datacenter also affected the the popular crafting and survival game Rust.

In any case, Raiu told Motherboard that the impact on the hackers' operation is likely "minimal."

"Most [Advanced Persistent Threats] and sophisticated crime groups run dozens of C2 servers. Obviously, nobody hosts all their C2s in the same place," Raiu said in an online chat. "APT groups generally have 2-3 C2s configured in each malware in order to mitigate risks such as takedowns or crashes." 

The fire, though, shows how things we often think of as "cyber" have very real physical infrastructure that can be attacked, impacted by disasters, or otherwise messed with.

Matthieu Faou, a researcher from cybersecurity company ESET, said he could not confirm Raiu's findings. But "it is clear that [OVHCloud] is a hoster regularly used by many APTs groups." 

"I wouldn't be surprised that it took down some C&C servers," Faou said in an online chat.

Subscribe to our cybersecurity podcast CYBER, here.