The provider, Media Land LLC, has been used by ransomware actors like Lockbit, BlackSuit, and Play, and its infrastructure has been leveraged across several distributed denial-of-service (DDoS) attacks against US companies and critical infrastructure.
The Justice Department, alongside agencies in the UK and Australia, on Wednesday slapped sanctions on a Russia-based bulletproof hosting provider, which has been used by threat actors in ransomware attacks.
The provider, Media Land LLC, has been used by ransomware actors like Lockbit, BlackSuit, and Play, and its infrastructure has been leveraged across several distributed denial-of-service (DDoS) attacks against US companies and critical infrastructure.
“These so-called bulletproof hosting service providers like Media Land provide cybercriminals essential services to aid them in attacking businesses in the United States and in allied countries,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence John K. Hurley in a statement on Wednesday. “Today’s trilateral action with Australia and the United Kingdom, in coordination with law enforcement partners, demonstrates our collective commitment to combatting cybercrime and protecting our citizens.”
What are bulletproof hosting providers?
In a security advisory released this week, the US Cybersecurity and Infrastructure Security Agency (CISA) said that it has observed a “marked increase” in cybercriminal actors using bulletproof hosting infrastructure to support operations against critical infrastructure, financial institutions, and other high-value targets.
Bulletproof hosting providers lease their infrastructure to cybercriminals and play a critical role in helping threat actors stay persistent through law enforcement disruption efforts, because they are designed to ignore third-party abuse complaints and don’t engage in good faith with legal processes.
Additionally, “BPH infrastructure is integrated into legitimate internet infrastructure systems, making it difficult for defenders to mitigate the cybercriminal activity,” according to CISA in the security advisory on Wednesday. “BPH infrastructure is part of a network or group of networks known as an Autonomous System (AS), where each AS has a unique identifier known as an Autonomous System Number (ASN).”
Sanctions on Media Land LLC
The sanctions mean that all property and interests of property of the designated entities in the US (or in control of US people) are blocked, and US individuals are barred from transacting with these entities. In addition to Media Land LLC, the DoJ identified ML Cloud, its sister company that typically offers its technical infrastructure in conjunction with Media Land, as well as several individuals behind Media Land:
How effective are these sanctions? It’s difficult to assess. Aeza Group, which was previously sanctioned by the DoJ earlier this year, responded to sanctions by continuing their operations through rebranded structures. The DoJ for its part this week explicitly linked the newly rebranded companies to Aeza Group in an attempt to put pressure on the group and “take all possible steps to counter sanctions evasion activity by malicious cyber actors and their enablers.”
Regardless of their level of effectiveness, the sanctions show a continued international focus on disrupting the infrastructure layer underpinning cybercrime as opposed to targeting individual threat actors, according to researchers with Chainalysis.
“Volosovik’s hosting services supported nearly every component of the cyber kill chain, serving underground exchanges, laundering services, scammers, hackers, and ransomware operators, including sanctioned LockBit administrator Dmitry Khoroshev,” according to Chainalysis researchers.
