New research from cybersecurity firm Heimdal has showed a huge spike in brute force attacks against corporate and institutional networks across Europe, with most of the attacks originating in Russia.
Brute force attacks are used to gain access to accounts and systems by using trial and error to guess weak passwords.
Russian threat actors have been abusing this technique to exploit Microsoft infrastructure in an effort to avoid detection, with attacks occurring since as early as May 2024 but may have been happening earlier.
Cities, companies and infrastructure under attack
Over half of the attacks originate from IP addresses in Moscow, which are then used to target major cities across a range of countries in Europe, including the United Kingdom, Lithuania, Denmark and Hungary.
Worryingly, the rest of the attack IPs originate in Amsterdam and Brussels, with major ISPs such as Telefonica LLC and IPX-FZCO being abused by the threat actors. Research by Heimdal shows that the attacks are actively exploiting Microsoft infrastructure in the Netherlands and Belgium as a means to increase their attack range and success in Europe.
More than 60% of the IPs used to launch attacks are new, with around 65% of them being recently compromised, and the rest being previously abused by the attackers. The threat actors have been observed abusing SMBv1 crawlers, RDP crawlers and RDP alternative port crawlers to crack weak or default credentials.
Some of the motivations behind the attacks include exfiltrating sensitive data, disrupting services, deploying malware, and financial gain. Much of the work performed by the threat actors covers seek-and-destroy, critical asset disruption, and sabotage.
“This data shows that an entity in Russia is waging a hybrid war on Europe, and may have even infiltrated it. The threat actors are aiming to extract as much data or financial means as possible, leveraging Microsoft infrastructure to do so,” Heimdal founder Morten Kjaersgaard said.
“Whoever is responsible, whether it’s the state or another nefarious group, they have no shame in using Russia’s allies to commit these crimes. The exploitation of Indian infrastructure is a strong example. The data also proves these attackers have strong ties with China,” Kjaersgaard concluded.