Anatomy of an Attack: New Report Exposes Ukrainian Networks Fueling Global Brute-Force Campaigns

A new report from Intrinsec has revealed a sprawling web of Ukrainian and offshore networks fueling large-scale brute force and password spraying campaigns. The investigation sheds light on how these interconnected infrastructures enable persistent cyberattacks and facilitate ransomware operations.

Between June and July 2025, the Ukraine-based autonomous system FDN3 (AS211736) was observed launching “multiple hundreds of thousands of brute force and password spraying attacks against SSL VPN and RDP devices, over a period of up to three days.”

Intrinsec notes with high confidence that FDN3 is part of a larger ecosystem tied to VAIZ-AS (AS61432), ERISHENNYA-ASN (AS210950), and the Seychelles-based TK-NET (AS210848). According to the report, “those were all allocated in August 2021 and often exchange IPv4 prefixes with one another to evade blocklisting and continue hosting abusive activities.”

The analysis underscores strong ties between these Ukrainian networks and offshore bulletproof hosting providers. In particular, IP Volume Inc. (formerly linked to notorious Dutch hoster Ecatel) was identified as a key transit provider. Intrinsec writes: “Despite being reannounced by a new network, the prefixes continue to emit the same type and high levels of attacks. It may mean that a common administrator could be operating all the networks while also moving them to evade blocklisting and attribution.”

These networks are not only enabling brute force attempts but are also linked to ransomware campaigns. The report highlights that ransomware-as-a-service (RaaS) groups such as GLOBAL GROUP and Black Basta heavily rely on brute-forcing corporate VPN appliances to gain footholds in enterprise environments.

One of the report’s most concerning findings is the persistence of malicious activity even after networks are blocklisted or prefixes reallocated. Intrinsec explains: “We described how abusive networks could easily rebrand and evade traces of their previous activities by creating new autonomous systems and shell companies on which their previous prefixes would be transferred.”

The infrastructure also appears to be maintained by known Russian-linked entities. For example, Whois records tie FDN3’s maintenance to Alex Host LLC, a company previously flagged for bulletproof hosting used by disinformation actors.

Intrinsec advises defenders to take proactive steps:

• Block traffic from all IP ranges associated with VAIZ, FDN3, TK-NET, and E-RISHENNYA.
• Leverage Spamhaus blocklists to identify malicious prefixes.
• Monitor for brute force attempts on VPN and RDP services, which remain high-value targets for ransomware operators.

While these networks may constantly change shape, their purpose remains the same—providing a resilient infrastructure for cybercriminal groups to conduct brute force attacks, phishing, and malware hosting on a global scale.

“Completely cutting communications with such networks can prevent initial access attempts through scanned exposed assets and bruteforce attempts, command-and-control communications, or being exposed to phishing pages hosted on those ISPs,” Intrinsec warns.

Related Posts:

• Safeguarding Your Server: A Comprehensive Guide to Defending Against DDoS Attacks
• DuckDuckGo Battles AI Slop: New Filter Lets Users Hide AI-Generated Images from Search Results
• Malicious Go Package Steals Your SSH Credentials in a “Brute-Force” Scam
• Cloudflare’s 1.1.1.1 DNS Suffers Global Outage Due to Internal Configuration Error

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy