Russia-Linked Brute-Force Attacks Aim at European Networks, Reveals Report
A recent investigation by cybersecurity experts at Heimdal has brought to light a sophisticated campaign of cyberattacks against the European Union, believed to have ties to Russia.
The cyber onslaught, which has been intensifying since May 2024, specifically targets government and corporate networks within the EU through a series of brute-force attempts. The attackers are reported to be exploiting Microsoft infrastructure, notably in Belgium and the Netherlands, to hide their trails and avoid detection.
This revelation comes amid heightened alerts from European leaders regarding a covert effort by Russia to undermine the stability of the continent through cyberattacks, misinformation campaigns, and other disruptive tactics.
At a recent NATO gathering, various leaders pointed fingers at Russia for its involvement in numerous malicious activities. Danish Prime Minister Mette Frederiksen emphasized the need for increased vigilance, stating, “Russia is trying to destabilise all of us, using various measures.”
Heimdal’s report identifies that the attackers primarily focus on key infrastructure cities, including Edinburgh and Dublin, aiming for administrative accounts with tactics such as password guessing, spraying, and stuff to breach security.
The primary methodologies used in these brute-force attacks are identified as SMBv1 Crawler, RDP Crawler, and RDP Alt Port Crawler. These techniques exploit vulnerabilities in SMB and RDP protocols and weak credentials on non-standard ports.
A significant portion of the attack IPs can be traced back to Moscow, targeting major cities in Denmark, Hungary, Lithuania, and the UK, with others stemming from Amsterdam and Brussels. Remarkably, over 60% of these addresses are new, indicating a dynamic and evolving threat landscape.
The misuse of legitimate Microsoft infrastructure has enlarged the attackers’ reach, complicating efforts to detect and neutralize their operations. Notably, internet service providers such as Telefonica LLC and IPX-FZCO have seen substantial misuse, with the former linked to nearly 27% of the Russia-originated attacks.
Furthermore, the exploitation extends beyond Europe. Russian cyber operatives have also leveraged compromised resources from Indian telecom giants Bharat Sanchar Nigam Limited (BSNL) and Bharti Airtel Limited, both of which have recently faced data breaches, to conduct attacks in the EU. Similar tactics have been observed targeting China, with several IPs associated with the attacks traced back to Hong Kong.
While the overarching objectives of this cyber campaign remain partially obscured, experts believe the attackers aim to destabilize critical infrastructure, steal sensitive information, secure financial gains, or deploy harmful software. The implications of a successful attack are daunting, potentially jeopardizing economies, governments, and even lives.
Cybersecurity professionals advocate for a robust, multi-layered defense strategy, including enhanced cloud security measures, mandatory multi-factor authentication, and systematic security audits to mitigate these risks.
Morten Kjaersgaard, the founder of Heimdal, underscored the gravity of the threat. “The evidences clearly demonstrate that Russian threat actors are engaging in a hybrid warfare against Europe, exploiting Microsoft infrastructure for data theft and financial gains. Their use of allies’ infrastructure, notably in India, and connections with China, amplify the complexity of this threat,” he explained.
Paul Vixie, co-founder of SIE Europe, also weighed in, describing the findings as “explosively evil.” He highlighted that the data from Heimdal underscores the sophistication and persistence of these Russian-backed cyber threats.
Last May, ESET Research uncovered that the Russia-linked Turla group employed new malware to infiltrate a European ministry of foreign affairs along with its diplomatic missions abroad. In a similar vein, Microsoft Threat Intelligence previously alerted about a prolific Russian hacking group exploiting a critical Outlook vulnerability to hijack email accounts.
As the digital landscape continues to evolve, so does the nature of these threats. The international community, together with cybersecurity experts, must remain vigilant and proactive in safeguarding the digital frontier against such insidious attacks.