The US, Australia, and the UK on Wednesday announced sanctions against two Russian bulletproof hosting (BPH) service providers and their sister entities and leadership members.
The US Treasury Department’s Office of Foreign Assets Control (OFAC) has sanctioned Media Land, a Russian company that has allegedly supported ransomware groups such as Lockbit, BlackSuit, and Play.
The BPH service provider, OFAC says, has also supported criminal marketplaces, and has provided infrastructure for multiple distributed denial-of-service (DDoS) attacks targeting US critical infrastructure and other organizations.
In conjunction with Media Land, threat actors have been using infrastructure provided by its sister company ML Cloud for similar cybercriminal activities, OFAC says.
The office also sanctioned Media Land subsidiaries Media Land Technology (MLT) and Data Center Kirishi (DC Kirishi), its general director Aleksandr Volosovik, Kirill Zatolokin, a Media Land employee, and Yulia Pankova, who has assisted Volosovik with legal issues and has handled his finances.
Volosovik, OFAC says, has advertised BPH services on cybercrime forums using the alias Yalishanda and has provided infrastructure and troubleshooting for ransomware and DDoS attackers.
Zatolokin, it says, collects payments and coordinates with threat actors, and assists Volosovik in managing Media Land’s operations.
On Wednesday, the US and the UK also announced sanctions against Hypercore Ltd., a company registered in the UK that functions as a front for Aeza Group, a BPH service provider sanctioned earlier this year.
Additionally, they designated Maksim Vladimirovich Makarov, the new director of Aeza, who was involved in the company’s attempt to evade sanctions, and Ilya Vladislavovich Zakirov, who helped hide Aeza’s activity through newly established companies and payment methods.
Aeza, the US and UK say, is relying on Smart Digital Ideas DOO and Datavice MCHJ, which are registered in Serbia and Uzbekistan, to evade sanctions.
On Wednesday, Australia announced financial penalties and travel bans against Volosovik, Zatolokin, Media Land, and ML.Cloud, noting that they provided infrastructure used in DDoS, malware, and Lockbit, Blacksuit, and Cl0p ransomware attacks against Australian organizations.
Additionally, government agencies in the Five Eyes countries and the Netherlands issued a joint advisory (PDF) on BPH service providers and how organizations can mitigate the risks they pose.
The agencies recommend that ISPs and network defenders dynamically filter ASNs, IP ranges, and individual IP addresses to prevent compromise from cyber activities enabled by BPH service providers.
In this regard, a curated list of malicious internet resources, traffic analysis that supplements the list, automated and regular reviews of the list, event logging configurations that leverage the list, threat intelligence sharing, and the use of providers that follow Secure by Design principles are essential for mitigating risks.
ISPs are also encouraged to notify customers of the malicious internet resource lists and associated filters, to create filters that can be used by their customers, collaborate with industry peers, and implement internet routing security best practices.
Related: Australia Sanctions Hackers Supporting North Korea’s Weapons Program
Related: US Sanctions North Korean Bankers Accused of Laundering Stolen Cryptocurrency
Related: US Sanctions Russian National, Chinese Firm Aiding North Korean IT Workers
Related: UK Sanctions Russian Hackers Tied to Assassination Attempts
