Russia-Linked Brute-Force Campaign Targets EU via Microsoft Infrastructure
August 2024 by Heimdal™ Security
A recent investigation by Heimdal reveals that the EU is facing a surge in brute force cyber-attacks on corporate and institutional networks, primarily originating from Russia.
These attackers exploit Microsoft infrastructure, particularly in Belgium and the Netherlands, to avoid detection.
The investigation into the Russian brute-force campaign has revealed the following insights:
Attackers are aiming for High-Value Targets (HVTs)
Key infrastructure cities like Edinburgh and Dublin have been frequently targeted
Over half of the attack IP addresses are linked to Moscow, targeting major cities in the UK, Denmark, Hungary, and Lithuania
The rest of the investigated attack IPs can be traced back to Amsterdam and Brussels
Major ISPs like Telefonica LLC and IPX-FZCO were significantly abused
Heimdal’s data reveals that the attacks date back to May 2024, but evidence suggests they may have been occurring for an even longer period.
Prevalent Infiltration and Attack Techniques
The attackers primarily target administrative accounts using various case combinations and language variants.
Over 60% of attack IPs are new, with approximately 65% recently compromised and the rest previously abused, revealing a constantly evolving threat.
The threat actors employ known attack principles such as SMBv1 crawlers, RDP crawlers, and RDP alternative port crawlers, exploiting weak or default credentials through password guessing, spraying, and stuffing. Additionally, their use of legitimate Microsoft infrastructure broadens the attack surface and complicates detection and response.
Data shows that attackers have actively exploited Microsoft infrastructure from the Netherlands and Belgium to increase their attack range and success odds.
Russia Leveraging State-Owned Networks to Propagate Attack
Major ISPs like Telefonica LLC and IPX-FZCO are significantly abused, with the former accounting for 27.7% of attacks from Russia.
The attackers also leveraged resources from Russian allies, including Indian telecom companies Bharat Sanchar Nigam Limited and Bharti Airtel Limited, both of which have faced recent data breaches.
Scope of Brute-Force Campaign
Russia’s motivation behind these cyberattacks is multifaceted. The reasons for these actions likely include aims to destabilize and disrupt critical infrastructure in Europe, extract sensitive data, gain financial advantage to fuel ongoing cyber-war efforts, or deploy malware.
The threat actors’ mandates can span multiple types of subversive cyber-warfare ops, including seek-and-destroy, disruption of critical assets, and sabotage.
A Wake Up Call for the European Union
This persistent threat highlights the need for cybersecurity measures within EU countries, including strengthening cloud security, enforcing multi-factor authentication, conducting regular security audits, and educating employees.
Morten Kjaersgaard, founder of Heimdal, said: "This data shows that an entity in Russia is waging a hybrid war on Europe, and may have even infiltrated it. The threat actors are aiming to extract as much data or financial means as possible, leveraging Microsoft infrastructure to do so."
"Whoever is responsible, whether it’s the state or another nefarious group, they have no shame in using Russia’s allies to commit these crimes. The exploitation of Indian infrastructure is a strong example. The data also proves these attackers have strong ties with China.", he added.
Paul Vixie, co-founder of SIE Europe, said: "The data that Heimdal has uncovered is explosively evil, and SIE Europe data clearly shows how well built these Russian Wasp nests are and they show no signs of stopping."
Heimdal collected data using its Threat-Hunting & Action Center, leveraging the XTP engine integrated with Next-Generation Antivirus, Firewall, and MDM products. Additionally, data from external sources such as SHODAN, Cloudflare, Censys, and SIE Europe were incorporated to ensure comprehensive and reliable threat analysis.