In mid-2025, a coalition of Ukraine-based autonomous systems orchestrated unprecedented brute-force and password-spraying campaigns against exposed SSL VPN and Remote Desktop Protocol (RDP) services, overwhelming security defenses and highlighting the growing sophistication of state-linked cyber-infrastructure.
Over a concentrated three-day period in July 2025, the network operated under AS211736 (“FDN3”), allocated to FOP Dmytro Nedilskyi, unleashed more than 1.3 million login attempts against corporate VPN and RDP endpoints.
Security researchers attribute these coordinated attacks to an interconnected cluster of Ukrainian autonomous systems—VAIZ-AS (AS61432), E-RISHENNYA-ASN (AS210950), and FDN3 (AS211736)—which routinely exchange IP prefixes with TK-NET (AS210848) in Seychelles to evade blocklisting.
All four networks originated simultaneously in August 2021 and share routing through IP Volume Inc. (AS202425), a Seychelles-based front for the notorious Dutch bulletproof hosting provider Ecatel.
The campaign’s timings and tactics bore hallmarks of emerging Ransomware-as-a-Service (RaaS) groups, which rely on low-and-slow credential stuffing to gain initial network footholds.
On July 6, 2025, the FDN3 prefix 88.210.63.0/24 began firing waves of login attempts across thousands of VPN appliances and RDP servers, peaking at over 110 000 hits per individual IP address.
Logging clusters revealed near-uniform distribution of attempts between SSL VPN ports (TCP 443 and 8443) and RDP (TCP 3389), indicating a broad probing strategy designed to maximize infiltration odds.
Historical telemetry from April 2025 confirms that Telkom Internet LTD (AS210848) and IP Volume Inc. (AS202425) previously funneled similarly massive scanning operations through VAIZ and E-RISHENNYA prefixes.
During that period, honeypot networks recorded more than 27 000 attack attempts in a single week from AS210848 alone, and SANS Institute metrics logged tens of thousands of hits on port 5555 originating from these ASNs.
This persistent noise underscores the networks’ dual role as both brute-force platforms and staging grounds for malware command-and-control hosting and phishing infrastructure.
Analysis of WHOIS data traces the administrative oversight of FDN3 to Russian-registered maintainer Alex Host LLC (“ru-alexgroup-1-MNT”), a bulletproof hosting provider with a documented history of supporting illicit RaaS operators.
Prefix transfers between UA- and RU-registered entities—such as the movement of 45.143.201.0/24 from TOV VAIZ PARTNER to Verasel Inc.
(AS2100195) in Seychelles—suggest a strategic chain of shell companies engineered to frustrate attribution and takedown efforts.
Compounding the threat, Bulgarian front networks such as ROZA-AS (AS212283) and SS-Net (AS204428) have also cycled Ukrainian prefixes to ensure uninterrupted access to abused IP ranges.
In June and July 2025, SS-Net prefixes 83.222.190.0/24 and 83.222.191.0/24 recorded more than 55 000 and 12 900 RDP login attempts, respectively, further indicating the actors’ reliance on geographically diverse bulletproof hosting partners.
The operational resilience of these networks underscores the limitations of perimeter defenses against credential-stuffing and brute-force campaigns.
Experts recommend immediately implementing stringent rate-limiting, multi-factor authentication, and comprehensive blocklisting of known abusive ASNs.
Organizations should subscribe to reputable threat intelligence blocklists, such as those published by Spamhaus, to proactively deny traffic from high-risk networks.
As RaaS operations continue to refine initial access tactics, the security community must adapt by correlating BGP prefix movements with attack telemetry, enriching context for real-time defensive measures.
The July 2025 Ukrainian network campaigns stand as a stark reminder that adversaries increasingly leverage layered, multinational bulletproof hosting infrastructures to sustain intense brute-force operations—underscoring the pressing need for coordinated global efforts to dismantle these abusive networks.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
