U.S. Strikes Against Russian Bulletproof Hosting Provider Aeza Group
Introduction to Aeza Group and Recent Sanctions
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has recently imposed sanctions on Aeza Group, a Russia-based bulletproof hosting (BPH) provider. This action targets the company’s role in enabling cybercriminal activities, facilitating attacks against victims both in the United States and globally.
Overview of the Sanctioned Entities
The sanctions not only affect Aeza Group but also extend to its subsidiaries, including Aeza International Ltd., located in the U.K., and Aeza Logistic LLC and Cloud Solutions LLC. Additionally, four key individuals within the organization have been designated:
- Arsenii Aleksandrovich Penzev: CEO and 33% owner of Aeza Group.
- Yurii Meruzhanovich Bozoyan: General director and 33% owner.
- Vladimir Vyacheslavovich Gast: Technical director closely associated with Penzev and Bozoyan.
- Igor Anatolyevich Knyazev: Another 33% owner who oversees operations when the primary owners are unavailable.
Criminal Allegations and Previous Arrests
In a significant development earlier this year, Penzev was arrested on charges of running a criminal organization that facilitated large-scale drug trafficking through the dark web marketplace known as BlackSprut. Alongside him, Bozoyan and two other Aeza employees, Maxim Orel and Tatyana Zubova, were also taken into custody.
According to Bradley T. Smith, the Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence, "Cybercriminals depend heavily on BPH service providers like Aeza Group to execute disruptive ransomware attacks, pilfer U.S. technology, and trade in illegal drugs." He emphasized the Treasury’s commitment, in collaboration with international partners, to expose the critical infrastructure and individuals involved in this criminal ecosystem.
The Role of Bulletproof Hosting in Cybercrime
Bulletproof hosting has become a vital resource for cybercriminals, as these services often disregard abuse reports and law enforcement requests. Operating often in jurisdictions with lax enforcement or deliberately ambiguous laws, BPH providers allow attackers to maintain their malicious operations, such as phishing schemes and command-and-control (C2) servers, with minimal risk of disruption.
Aeza Group’s Alleged Clients and Operations
Based in St. Petersburg, Aeza Group has been linked to various ransomware families, including BianLian, RedLine, Meduza, and Lumma. These groups have targeted a range of victims, notably entities within the U.S. defense industrial base and technology sectors.
A report from Correctiv and Qurium highlighted that the pro-Russian influence operation known as Doppelganger utilized Aeza’s infrastructure. Additionally, Aeza has provided services to Void Rabisu, another group aligned with Russia known for developing the RomCom RAT malware.
Financial Operations and Cryptocurrency Connections
Recent investigations reveal that a cryptocurrency address tied to Aeza Group has received over $350,000 in digital assets. These funds have been funneled through various exchanges, some linked to darknet vendors selling stealer malware like Garantex, as well as escrow services operating on popular gaming platforms.
The designated crypto address appears to function as an administrative wallet, managing payouts from payment processors and routing funds to various exchanges.
Context of International Actions Against Cybercrime
These sanctions come on the heels of similar actions against another Russian BPH provider, Zservers, which was previously sanctioned for its involvement in facilitating ransomware attacks attributed to the LockBit group. Additionally, Qurium’s recent findings have connected Biterika, a Russian web hosting provider, to DDoS attacks against independent media outlets.
Overall, these sanctions reflect a broader strategy aimed at dismantling the ransomware supply chain by targeting the critical infrastructure behind cybercriminal activities. As threat actors continue to evolve their tactics, keeping track of sanctioned entities, monitoring IP reputations, and assessing abuse-resilient networks has become essential for contemporary threat intelligence operations.
