On Wednesday, a massive fire destroyed a datacenter and caused damage in other server buildings owned by OVHCloud, the largest European cloud service provider. The blaze has impacted several of the company's customers—including hackers.
According to Costin Raiu, the Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab, there are 140 OVH servers used by government hackers and sophisticated criminal groups that he and his colleagues track. Of those, 36% are now down, he said in a post on Twitter.
Raiu said that there are several government hacking groups impacted, such as Charming Kitten and APT39, both believed to be linked to Iran; Bahamut, a hacking-for-hire group out of India; and OceanLotus, a group of Vietnamese hackers who recently used fake news websites to hack targets.
Hacking groups often use commercial hosting providers such as OVHCloud to host their command and control servers, also called C&Cs or C2s in cybersecurity jargon. These are servers that hackers use to control their malware or send stolen data from victims. The fact that a fire in a server farm in France can impact the operations of hacking groups in Iran or Vietnam is a good reminder that while hackers operate online, they still depend on physical hardware in the real world. The fire at the OVHCloud datacenter also affected the the popular crafting and survival game Rust.
In any case, Raiu told Motherboard that the impact on the hackers' operation is likely "minimal."
"Most [Advanced Persistent Threats] and sophisticated crime groups run dozens of C2 servers. Obviously, nobody hosts all their C2s in the same place," Raiu said in an online chat. "APT groups generally have 2-3 C2s configured in each malware in order to mitigate risks such as takedowns or crashes."
The fire, though, shows how things we often think of as "cyber" have very real physical infrastructure that can be attacked, impacted by disasters, or otherwise messed with.
Matthieu Faou, a researcher from cybersecurity company ESET, said he could not confirm Raiu's findings. But "it is clear that [OVHCloud] is a hoster regularly used by many APTs groups."
"I wouldn't be surprised that it took down some C&C servers," Faou said in an online chat.
Subscribe to our cybersecurity podcast CYBER, here.