The fire at the OVH datacenter in Strasbourg affected many nation-state APT groups and cybercrime gangs’ command and control infrastructure.
OVH, one of the world’s largest hosting companies, experienced a devastating fire this week that destroyed its data centres in Strasbourg. SBG1, SBG2, SBG3, and SBG4 were among the four data centres at the French plant in Strasbourg that were shut down as a result of the incident, with the fire starting in SBG2.
Since the fire disrupted the services of several of OVH’s clients, the organisation advised them to execute their disaster recovery plans.
The incident impacted nation-state groups as well, according to Costin Raiu, Director of Kaspersky Lab’s Global Research and Analysis Team (GReAT), who disclosed that 36 percent of 140 OVH servers used by various threat actors as C2 servers went offline. Cybercrime gangs and APT groups, such as the Iran-linked Charming Kitten and APT39 groups, the Bahamut cybercrime squad, and the Vietnam-linked OceanLotus APT, all used the servers.
Of course, the incident only affected a small portion of the command and control system used by multiple threat actors in the wild; almost every group uses multiple service providers and bulletproof hosting to improve the durability of their C2 infrastructure to takedowns carried out by law enforcement agencies with the assistance of security firms.
“In the top of ISPs hosting Command and control infrastructure, OVH is in the 9th position, according to our tracking data. Overall, they are hosting less than 2% of all the C2s used by APTs and sophisticated crime groups, way behind other hosts such as, CHOOPA.” Raiu told to The Reg.
“I believe this unfortunate incident will have a minimal impact on these groups operations; I’m also taking into account that most sophisticated malware has several C2s configured, especially to avoid take-downs and other risks. We’re happy to see nobody was hurt in the fire and hope OVH and their customers manage to recover quickly from the disaster.”