An investigation conducted by Heimdal revealed that a wave of brute force cyber attacks has been targeting corporate and institutional networks in the European Union, with the majority of the attacks originating from Russia. These attackers have been utilizing Microsoft infrastructure, particularly in Belgium and the Netherlands, as a tactic to evade detection.
The investigation into the Russian brute-force campaign has unearthed critical insights that shed light on the scope and impact of these attacks. Firstly, the attackers have been specifically targeting High-Value Targets (HVTs), indicating a strategic and calculated approach to their cyber warfare efforts. Moreover, key infrastructure cities like Edinburgh and Dublin have been recurrently targeted, highlighting the breadth of the attack landscape.
Further analysis revealed that over half of the attack IP addresses are linked to Moscow, with major cities in the UK, Denmark, Hungary, and Lithuania being the primary targets. The remaining investigated attack IPs can be traced back to Amsterdam and Brussels, underscoring the broad geographical reach of these cyber assaults. Noteworthy ISPs like Telefonica LLC and IPX-FZCO have been significantly exploited in these attacks, with Heimdal’s data indicating that these malicious activities have been ongoing since at least May 2024.
The infiltration and attack techniques employed by the threat actors have shown a high degree of sophistication and adaptability. The attackers primarily target administrative accounts using various case combinations and language variants to exploit weak or default credentials through password guessing, spraying, and stuffing. Additionally, the use of legitimate Microsoft infrastructure complicates detection and response efforts, thereby enhancing the effectiveness of the attacks.
Russia’s involvement in these cyber assaults extends beyond mere perpetration, with the nation leveraging state-owned networks to propagate these attacks further. Major ISPs like Telefonica LLC and IPX-FZCO are among the entities that have been significantly abused in the process. The attackers have also utilized resources from Russian allies, such as Indian telecom companies Bharat Sanchar Nigam Limited and Bharti Airtel Limited, indicating a coordinated and expansive network behind these cyber intrusions.
The motivations behind these cyber attacks are varied and multifaceted, including destabilizing critical infrastructure in Europe, extracting sensitive data, gaining financial advantages for ongoing cyber-war efforts, or deploying malware. The scope of the brute-force campaign orchestrated by Russia underscores the urgent need for enhanced cybersecurity measures within EU countries, such as reinforcing cloud security, implementing multi-factor authentication, conducting regular security audits, and providing comprehensive cybersecurity training to employees.
Morten Kjaersgaard, the Founder of Heimdal, expressed grave concerns about the hybrid cyber war being waged on Europe by a Russian entity, emphasizing the urgency of this threat. The collaboration between threat actors in Russia and their allies in India and China highlights the global scale and complexity of these cyber warfare operations. Paul Vixie, Co-Founder of SIE Europe, echoed these sentiments, characterizing the data uncovered by Heimdal as “explosively evil” and underscoring the relentless nature of these cyber threats.
In conclusion, the findings of the investigation conducted by Heimdal reveal a disturbing trend of cyber attacks targeting the EU, orchestrated by a sophisticated network with ties to Russia, India, and China. These revelations serve as a stark reminder of the evolving cyber threat landscape facing the European Union and the pressing need for robust cybersecurity measures to safeguard against such malicious activities.