A sophisticated network of Ukrainian-based autonomous systems has emerged as a significant cybersecurity threat, orchestrating large-scale brute-force and password-spraying attacks against SSL VPN and RDP infrastructure.
Between June and July 2025, these malicious networks launched hundreds of thousands of coordinated attacks over periods lasting up to three days, targeting critical enterprise remote access systems.
The campaign involves a complex web of interconnected networks, primarily centered around three Ukrainian autonomous systems: FDN3 (AS211736), VAIZ-AS (AS61432), and ERISHENNYA-ASN (AS210950), along with a Seychelles-based network TK-NET (AS210848).
These networks were strategically allocated in August 2021 and have since engaged in systematic infrastructure manipulation, frequently exchanging IPv4 prefixes to evade blocklisting efforts and maintain operational continuity.
Intrinsec researchers identified this threat infrastructure through extensive monitoring of honeypot networks, revealing attack patterns that peaked at over 1.3 million individual attempts during a three-day period in July 2025.
The attackers demonstrated sophisticated coordination, with multiple IP addresses simultaneously launching identical attack patterns against exposed VPN endpoints and Remote Desktop Protocol services.
The criminal infrastructure operates through partnerships with established bulletproof hosting providers, most notably IP Volume Inc. (AS202425), a Seychelles-based front company created by Ecatel’s operators.
This arrangement provides the Ukrainian networks with both anonymity and resilience, allowing them to maintain operations despite law enforcement attention and industry blocklisting efforts.
Network Infrastructure and Attack Mechanics
The technical architecture of these attacks reveals careful planning and resource allocation. The primary attack vector utilizes coordinated IP ranges, with prefix 88.210.63.0/24 serving as a focal point for the most intensive campaigns.
.webp "Ukrainian Networks Launch Massive Brute-Force and Password-Spraying Campaigns Targeting SSL VPN and RDP Systems 3")
Analysis of attack logs shows precisely synchronized activation patterns, with individual IP addresses generating between 108,000 and 113,000 attack attempts each during peak operations.
The attackers employ password spraying techniques rather than traditional brute-force methods, attempting common passwords across large volumes of accounts to avoid account lockout mechanisms.
This approach proves particularly effective against organizations with weak password policies or inadequate rate limiting on authentication endpoints.
The campaigns specifically target Fortinet, Palo Alto, and Cisco VPN appliances, aiming to establish high-privilege initial access points that can bypass traditional endpoint detection and response solutions.
Network traffic analysis reveals that the infrastructure maintains persistent command-and-control communications through Amadey malware panels hosted across the same autonomous systems.
Several C2 servers remain active, including 185.156.72.96 with 126 active bot connections and 185.156.72.97 maintaining 122 compromised endpoints, indicating successful post-exploitation activities beyond the initial access attempts.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
