A Russian-speaking group is advertising “bulletproof” hosting for cybercriminals from data centres in Syria and Lebanon, an apparent effort to place new services in locales where Western law enforcement has little influence.
The advertisement, for a service called “WebHost,” was found on a members-only forum called “Korovka.name,” according to IntelCrawler, a Los Angeles-based security startup that specialises in profiling the cybercriminal underworld and malicious networks.
Since most ISPs (Internet service providers) diligently monitor their networks for malicious activity, some cybercriminals look for so-called bulletproof hosting, or network connectivity from entities that ignore law enforcement and security companies.
The data centre in Lebanon was set up two years ago, and the one in Syria came online some time during the country’s civil war.
“These countries have negative relations with Europe,” said Andrey Komarov, IntelCrawler’s CEO, via email. “That’s why it is a great platform for bulletproof hosting.”
Over the past few years, cooperation among nations, law enforcement and ISPs has dramatically improved, in part because of the Convention on Cybercrime treaty, which lays down guidelines for laws and procedures for dealing with cross-border Internet crime.
Countries that conform to the treaty have uniform anti-cybercrime laws and law enforcement contacts available around the clock for fast-breaking investigations, among other requirements. But not all countries abide by the treaty, which can make shutting down budding cybercrime activities difficult in certain regions.
WebHost is offering hardware configuration services on dedicated servers, with a setup time ranging from two to five days. It also offers registration of a subnet of IP addresses, IntelCrawler said. The group says it can offer bulletproof hosting in 25 countries, starting from US$80. Though the time offered for that price wasn’t clear, most web hosting companies charge per month.
But bulletproof hosting has become more tricky to run. Those running networks must connect with other ISPs in order to maintain their connectivity to the Internet. The “peering” arrangements allow small networks to exchange traffic with larger telecommunication providers.
In a famous action in 2008, a U.S.-based ISP, McColo, was cut off from the Internet by its upstream providers. Hurricane Electric and Global Crossing stopped carrying McColo’s Internet traffic after it was suspected of aiding cybercriminals in online scams and hosting child pornography.
The Syrian data centre appears to be peering with Syrian Telecommunications Establishment (STE), the country’s state telecommunications operator, Komarov said. Last year, STE’s network was used to host a remote access tool called “DarkComet,” which is believed to have been used by the Syrian government to spy on political activists.
IntelCrawler doesn’t know yet the IP address range that the centre is using, because it appears that information is only revealed to customers. The data centre also can’t yet be linked to any ongoing malware campaigns, Komarov said.
Syria’s Internet connectivity has been unstable for more than two years since the civil war began. The network monitoring company Renesys has chronicled frequent network changes that at times have left parts of the country in the dark.
So it is perhaps not surprising that cybercriminals see an opportunity in the chaos, but spotty connectivity isn’t a great selling point, either.
On Monday, most of Syria’s Internet was down, said Doug Madory, senior analyst at Renesys.