Russian-speaking group offers bulletproof hosting in Syria, Lebanon

Those supplying services to cybercriminals are looking for places where they won't be shut down, a security company says

A banner advertisement from a Russian-speaking group offering bulletproof hosting services from countries such as Lebanon.

A banner advertisement from a Russian-speaking group offering bulletproof hosting services from countries such as Lebanon.

A Russian-speaking group is advertising "bulletproof" hosting for cybercriminals from data centers in Syria and Lebanon, an apparent effort to place new services in locales where Western law enforcement has little influence.

The advertisement, for a service called "WebHost," was found on a members-only forum called "," according to IntelCrawler, a Los Angeles-based security startup that specializes in profiling the cybercriminal underworld and malicious networks.

Since most ISPs (Internet service providers) diligently monitor their networks for malicious activity, some cybercriminals look for so-called bulletproof hosting, or network connectivity from entities that ignore law enforcement and security companies.

The data center in Lebanon was set up two years ago, and the one in Syria came online some time during the country's chaotic civil war.

"These countries have negative relations with Europe," said Andrey Komarov, IntelCrawler's CEO, via email. "That's why it is a great platform for bulletproof hosting."

Over the past few years, cooperation among nations, law enforcement and ISPs has dramatically improved, in part because of the Convention on Cybercrime treaty, which lays down guidelines for laws and procedures for dealing with cross-border Internet crime.

Countries that conform to the treaty have uniform anti-cybercrime laws and law enforcement contacts available around the clock for fast-breaking investigations, among other requirements. But not all countries abide by the treaty, which can make shutting down budding cybercrime activities difficult in certain regions.

WebHost is offering hardware configuration services on dedicated servers, with a setup time ranging from two to five days. It also offers registration of a subnet of IP addresses, IntelCrawler said. The group says it can offer bulletproof hosting in 25 countries, starting from US$80. Though the time offered for that price wasn't clear, most Web hosting companies charge per month.

But bulletproof hosting has become more tricky to run. Those running networks must connect with other ISPs in order to maintain their connectivity to the Internet. The "peering" arrangements allow small networks to exchange traffic with larger telecommunication providers.

In a famous action in 2008, a U.S.-based ISP, McColo, was cut off from the Internet by its upstream providers. Hurricane Electric and Global Crossing stopped carrying McColo's Internet traffic after it was suspected of aiding cybercriminals in online scams and hosting child pornography.

The Syrian data center appears to be peering with Syrian Telecommunications Establishment (STE), the country's state telecommunications operator, Komarov said. Last year, STE's network was used to host a remote access tool called "DarkComet," which is believed to have been used by the Syrian government to spy on political activists.

IntelCrawler doesn't know yet the IP address range that the center is using, because it appears that information is only revealed to customers. The data center also can't be linked yet to any ongoing malware campaigns, Komarov said.

Syria's Internet connectivity has been unstable for more than two years since the civil war began. The network monitoring company Renesys has chronicled frequent network changes that at times have left parts of the country in the dark.

So it is perhaps not surprising that cybercriminals see an opportunity in the chaos, but spotty connectivity isn't a great selling point, either.

On Monday, most of Syria's Internet was down, said Doug Madory, senior analyst at Renesys.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags IntelCrawlersecurityDesktop securityExploits / vulnerabilitiesmalware

More about Global CrossingWebHost

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place