The Rise of Cyberattacks on Hosting Providers: A Troubling Trend

Hosteur, Leaseweb, and CloudNordic have all fallen victim to cyber attacks, each with varying levels of impact. This highlights once again the critical nature of these key digital players


Danish cloud host CloudNordic has announced that it suffered a ransomware attack on August 18th, resulting in the loss of all hosted data for the majority of its clients. The attackers, who remain unidentified, were able to halt all systems, including the host’s websites, messaging systems, servers, client systems, and client websites. CloudNordic has stated that it will not pay the ransom demands and is working with external experts to assess the damage and determine what can be recreated. Unfortunately, it has been determined that the majority of client data cannot be recovered. CloudNordic’s sister cloud host, AzeroCloud, has also been affected by the attack. The attack is believed to have occurred during server migration, allowing the already infected systems to access the host’s internal network and gain access to central administration systems and backups.

Swiss host Hosteur also experienced a cyberattack a few days later, which it quickly communicated to its clients on social media. While the attack affected its remote backup service, most of its services have since been restored, including its PaaS environment. Hosteur assured its clients that their data is safe and complete.

Leaseweb, another hosting provider, detected unusual activity in certain areas of its cloud environment on August 22nd. The company temporarily disabled critical systems and engaged a respected cybersecurity and forensics firm to investigate the incident. The investigation is ongoing, but Leaseweb has stated that it contained the incident, improved its security measures, and has not observed any further unauthorized activities.

These recent attacks highlight the importance of strong cybersecurity measures for hosting providers and the potential impact on their clients’ data.

ESN: Critical Players

In July 2022, Trellix highlighted the threat to ESNs. Two weeks earlier, SHI International confirmed that they had been affected by a professional cyber attack with malware, but no further details were provided. Prior to that, attacks on Integrate Informatik AG, Adapt IT, Syredis, and Datalit had been claimed on various ransomware websites.

In the first quarter of 2022, the French National Agency for the Security of Information Systems (ANSSI) reported that they had dealt with 18 compromises affecting ESNs in the previous year, compared to 4 in 2020. ANSSI emphasized the risk of rapid propagation of an attack, which can sometimes affect an entire industry or a specific geographical area, especially when targeting a local or specialized digital service provider.

Eight cases were publicly known for 2021, including Infovista, Berger-Levrault, Solware, LinkOffice, Maitrex, Idline, a provider for the city of Le Cannet des Maures (Inetum), and Xefi (according to one of its clients and Everest’s allegations, as suggested by data leaked by the group in early October last year).

In late May 2022, Akka Technologies, now renamed Akkodis after being acquired by Adecco, fell victim to a cyber attack involving the Alphv/BlackCat ransomware, similar to Inetum. Neither of these attacks was claimed on the corresponding ransomware websites.

In late September 2022, ITS Group was also targeted by a ransomware cyber attack, which was later claimed by the Play group. In late 2022, New Zealand ESN Mecury IT was hit by the LockBit ransomware, as were Kearney & Company and AFD.Tech (Accenture), which reported an “attempt at irregular activity” without providing further details.

Rackspace was also a victim of the Play ransomware in late 2022, costing them a whopping $10.8 million.

The year 2023 began with the widespread ESXiArgs campaign targeting bare metal hosts. France, particularly OVHcloud, was at the forefront of this attack. This was a bitter pill to swallow for the French champion, which has over a thousand channel partners – digital service providers who rely on its bare metal offerings to build their higher-level solutions.

Less than two months later, many clients of Bouygues Telecom Entreprises OnCloud were paralyzed by a cyber attack targeting a VMware ESXi host, according to our sources.

Finally, in May, the Lacroix group reported being the victim of a contained cyber attack. A few days later, operators of the Alphv/BlackCat ransomware explicitly blamed Group DIS, claiming that the managed services provider “refused to pay for the security and data of their client.” They further claimed to disclose the data of what they presented as the main client of the managed services provider, Lacroix Electronics.

Leave a Comment