New research Cybersecurity firm Heimdal has detected a massive spike in brute force attacks on corporate and institutional networks across Europe, with most attacks originating in Russia.
Brute force attacks are used to gain access to accounts and systems through trial and error guessing weak passwords.
Russian cybercriminals are abusing this technique to exploit Microsoft’s infrastructure and avoid detection. The attacks have been happening since May 2024, but it could have happened earlier.
Cities, businesses and infrastructure under fire
More than half of the attacks originate from IP addresses in Moscow, which are then used to attack major cities in several European countries, including the UK, Lithuania, Denmark and Hungary.
Worryingly, the rest of the attack IPs originate from Amsterdam and Brussels, with major ISPs such as Telefonica LLC and IPX-FZCO being abused by the threat actors. Heimdal research shows that the attacks are actively using Microsoft infrastructure in the Netherlands and Belgium as a means to increase their attack reach and success in Europe.
More than 60% of the IPs used to launch attacks are new, with about 65% of them recently compromised and the rest previously abused by the attackers. Threat actors have been observed abusing SMBv1 crawlers, RDP crawlers, and RDP alternate port crawlers to crack weak or default credentials.
Some of the motives behind the attacks include exfiltration of sensitive data, disruption of services, deployment of malware, and financial gain. Much of the work done by the threat actors involves seek-and-destroy, disruption of critical assets, and sabotage.
“This data shows that an entity in Russia is waging a hybrid war against Europe, and may even have infiltrated it. The threat actors are trying to gain as much data or financial resources as possible, using Microsoft’s infrastructure to do so,” said Morten Kjaersgaard, founder of Heimdal.
“Whoever is responsible, be it the state or another malicious group, they have no shame in using Russia’s allies to commit these crimes. The exploitation of Indian infrastructure is a stark example. The data also shows that these attackers have strong ties to China,” Kjaersgaard concluded.