Full Report
This investigative report reveals how German hosting provider aurologic GmbH has become a central enabler of malicious internet infrastructure, linking numerous threat activity networks while operating under a veneer of legal neutrality and regulatory ambiguity.
Analysis Summary
# Threat Actor: aurologic GmbH (Threat Activity Enabler/Nexus)
## Attribution & Identity
**Primary Entity:** aurologic GmbH, a German hosting provider established in October 2023, transitioning from the infrastructure previously operated by combahton GmbH (fastpipe[.]io).
**Key Individual:** Maximilian Hofmann (CEO of aurologic and Tornado Datacenter).
**Known Aliases/Associated Groups:** Operates from the primary facility at Tornado Datacenter GmbH & Co. KG. Acts as a common upstream provider for numerous high-risk hosting networks and suspected Threat Activity Enablers (TAEs), including metaspinner net GmbH, Femo IT Solutions Ltd, Global-Data System IT Corporation (SWISSNETWORK02), Railnet, and the sanctioned Aeza Group.
## Activity Summary
aurologic GmbH has become a central nexus enabling malicious internet infrastructure globally. The company provides upstream transit and data center services to a high concentration of known high-risk hosting networks. While marketing legitimate services (cloud hosting, IP transit, DDoS protection), its operations are characterized by:
1. **Continued Service to Sanctioned Entities:** Maintaining upstream connectivity to heavily sanctioned networks, most notably Aeza International Ltd (AS210644), despite sanctions from the US and UK.
2. **Disinformation Enabling:** Identified by Qurium as an upstream provider enabling Russia-linked infrastructure, specifically maintaining relationships with providers linked to the Doppelgänger disinformation network (e.g., WAIcore Hosting Ltd, Altawk, EVILEMPIRE).
3. **Systemic Inaction:** Operating under a veneer of "legal neutrality," intervening in abuse only reactively (when legally compelled) rather than proactively mitigating known malicious downstream activity.
## Tactics, Techniques & Procedures
The primary "TTP" for aurologic is infrastructural enabling:
- **Infrastructure Provisioning:** Providing reliable, high-capacity upstream IP transit and data center colocation to known abuse networks, offering them operational stability and resilience.
- **Exploiting Regulatory Ambiguity:** Leveraging the perception of limited enforcement risk within the European regulatory environment to avoid responsibility for customer activities.
- **Reactive Abuse Handling:** Employing a reactive model for abuse remediation, consistent with a deferred view of operational responsibility.
- **De-facto Neutrality as Rationale:** Using the principle of internet neutrality as a justification for maintaining connectivity with entities repeatedly associated with cybercrime and disinformation.
- **Infrastructure Transition:** The company itself is a result of an organizational transition (Combahton $\rightarrow$ aurologic) suggesting a mechanism to maintain continuity of services despite scrutiny aimed at predecessor entities.
## Targeting
- **Sectors:** Diverse, as the downstream networks are involved in general cybercrime, disinformation campaigns, and potentially infrastructure supporting other illicit activities.
- **Geography:** Global, as the infrastructure it enables services criminal operations worldwide. Specific high-risk downstream networks originate from jurisdictions including Great Britain, the US, Russia, and Germany.
- **Victims:** Indirect victims of the criminal activity hosted on networks utilizing aurologic's infrastructure (e.g., victims of disinformation campaigns, targets of attacks routed through networks like Aeza).
## Tools & Infrastructure
- **Infrastructure (Upstream):**
- Primary Facility: Tornado Datacenter GmbH & Co. KG in Langen, Germany.
- ASN: AS30823 (inherited from combahton GmbH).
- **Downstream/Associated High-Risk Networks (Examples from context):**
- **Aeza International Ltd:** AS210644 (Sanctioned entity).
- **Railnet LLC:** AS214943.
- **Global-Data System IT Corporation (SWISSNET 02):** AS42624.
- **WAIcore Hosting Ltd:** AS213887.
- **EVILEMPIRE (Tnsecurity Ltd):** AS216309.
- **Cloudzy (Routerhosting LLC):** AS14956.
## Implications
aurologic represents a systemic challenge to accountability in the hosting ecosystem. By functioning as a critical, reliable upstream provider for multiple threat clusters, it provides operational stability that allows high-risk networks to persist and regenerate, even after sanctions or public shaming of their predecessors or peers. Its existence highlights how infrastructure providers can enable widespread abuse shielded by legal interpretation.
## Mitigations
- **Upstream Pressure:** Organizations, particularly other upstream providers or registries, should apply pressure on aurologic GmbH to implement proactive abuse monitoring and enforcement policies, rather than waiting for legal compulsion.
- **Sanctions Compliance Review:** Continuous monitoring of aurologic’s routing tables for continued, confirmed connectivity to sanctioned entities like Aeza International Ltd (AS210644) and enforcement action or de-peering recommendations where legally appropriate.
- **Supply Chain Due Diligence:** Customers and partners of aurologic should assess the risk associated with relying on infrastructure known to enable sanctioned or high-abuse downstream entities.