Full Report
The Treasury said that Aeza Group has provided infrastructure services for notorious infostealer and ransomware operators
Analysis Summary
# Threat Actor: Aeza Group (Bulletproof Hosting Provider)
## Attribution & Identity
**Actor Identification:** Aeza Group, described as a Russian bulletproof hosting (BPH) provider.
**Aliases and Associated Groups:**
* Sanctioned in coordination with UK authorities alongside its front company, Aeza International Ltd.
* Affiliated entities sanctioned: Aeza Logistic LLC and Cloud Solutions LLC.
* **Leaders Sanctioned:** Yurii Meruzhanovich Bozoyan (General Director) and Vladimir Vyacheslavovich Gast (Technical Director).
* Aeza has provided infrastructure services to known cybercrime operations, including:
* Meduza Stealer operators
* Lumma Stealer operators
* RedLine Stealer operators
* BianLian Ransomware-as-a-Service (RaaS) group
## Activity Summary
The US Treasury sanctioned Aeza Group for facilitating cyber-attacks globally by providing bulletproof hosting services. This infrastructure has been used to support various high-profile cybercrime operations. Additionally, Aeza Group's infrastructure has reportedly hosted BlackSprut, a Russian darknet marketplace for illicit drugs.
## Tactics, Techniques & Procedures
Since the article focuses on the *facilitation* role rather than offensive operations, the TTPs relate to the infrastructure service provided:
* Provision of Bulletproof Hosting (BPH) services (T1040 - Communication over C2 Channel, potentially enabling other techniques)
* Hosting of cybercrime operations (hosting malware C2, distribution points, or exfiltration servers for affiliated groups).
* Hosting illicit marketplaces (BlackSprut).
## Targeting
* **Sectors:** Not explicitly detailed, but facilitating cybercrime-as-a-service operations implies targeting global entities across various sectors.
* **Geography:** Victims mentioned are located in America and across the world. Headquarters are in St. Petersburg, Russia.
* **Victims:** Operators of Meduza, Lumma, RedLine, and BianLian ransomware have utilized their services.
## Tools & Infrastructure
* **Malware Families Used (Hosted/Supported):** Meduza Stealer, Lumma Stealer, RedLine Stealer, BianLian Ransomware.
* **Infrastructure (C2, domains, IPs):**
* Primary entity: Aeza Group (Headquartered in St. Petersburg, Russia).
* Affiliated/Front Companies: Aeza Logistic LLC, Cloud Solutions LLC, Aeza International Ltd (UK front company).
* BlackSprut darknet marketplace.
## Implications
The sanctions imposition on Aeza Group directly targets the enabling layer of the cybercrime ecosystem (bulletproof hosting). Disrupting BPH services hampers the operational capability of several sophisticated cybercriminal groups (ransomware, infostealers) by forcing them to migrate infrastructure, increasing detection chances and operational costs. This represents a significant enforcement action against Russian entities supporting global cybercrime.
## Mitigations
* Organizations should review threat intelligence related to IPs and domains previously associated with Meduza, Lumma, RedLine, and BianLian to identify any traffic patterns linked to known Aeza infrastructure.
* Monitor for indicators related to the migration of C2 communications as these groups seek new hosting providers following the sanctions.
* Implement robust network monitoring to detect connections to known anonymous or bulletproof hosting networks.