Infrastructure Takedown: Dutch Authorities Seize 800 Servers from Russian-Linked Hosts

Hey everyone,

Just caught the latest update regarding the Dutch police seizing 800 servers and arresting two co-owners of hosting companies facilitating Russian cyberoperations. It turns out they were essentially the successors to the infrastructure of "Stark Industries Solutions," the EU-sanctioned ISP.

It's a massive disruption, but it highlights the ongoing cat-and-mouse game with Bullet Proof Hosting (BPH) providers. We often see traffic to these "neutral" hosting providers that are actually staging grounds for APTs or botnet C2s.

If you're hunting for potential remnants or lateral movement from actors utilizing similar BPH infrastructure, looking for high-entropy outbound traffic to non-standard ports is usually a good baseline.

Here is a basic KQL query for Sentinel/SIEM to start hunting for connections to known suspicious subnets (replace the placeholder IP list with the actual seized IOCs once released):

DeviceNetworkEvents
| where RemotePort in (80, 443, 8080, 8443) and InitiatingProcess has @'\Windows\System32\'
| where RemoteIP has_any ()
| summarize Count = count(), FirstSeen = min(Timestamp), LastSeen = max(Timestamp) by DeviceName, RemoteIP, RemotePort
| order by Count desc

Also, keep an eye on any sudden resolution changes or TTL anomalies if you monitor DNS.

Has anyone else integrated specific threat intel feeds for BPH providers into their automated blocking policies, or do you find it generates too much noise due to shared hosting environments?