Threat Activity Enablers Provide Critical Infrastructure for Ransomware, Botnets, and State‑Sponsored Campaigns
What Happened – Recorded Future identified a class of service providers called Threat Activity Enablers (TAEs) that deliberately host or facilitate malicious infrastructure for ransomware groups, botnets, infostealer campaigns, and nation‑state actors. These providers evade takedowns, use shell companies, control IP resources, and rapidly re‑brand to stay operational.
Why It Matters for TPRM –
- TAEs sit in the supply chain of many third‑party SaaS, cloud, and hosting services, creating hidden risk for downstream customers.
- Their resilience means compromised assets can persist long after a breach is discovered, inflating exposure windows.
- Lack of KYC and abuse‑report handling makes due‑diligence on vendors more challenging.
Who Is Affected – Cloud hosting providers, ISP/ASN owners, SaaS platforms that lease infrastructure, and any organization that outsources compute or networking to third‑party data centers.
Recommended Actions –
- Review contracts and security questionnaires for clauses requiring vendors to disclose use of “bullet‑proof” hosting or anonymized infrastructure.
- Incorporate TAEs risk scores (e.g., Recorded Future’s Threat Density Score) into vendor risk models.
- Conduct periodic network‑level scans to detect connections to known high‑risk TAE IP prefixes.
Technical Notes – TAEs employ corporate‑shell front companies, control local internet registries (LIRs), and perform rapid IP prefix re‑branding to evade detection. The primary attack vector is third‑party dependency; no specific CVE is cited. Data types at risk include any exfiltrated customer data hosted on compromised infrastructure. Source: https://www.recordedfuture.com/blog/threat-activity-enablers