The European Union (EU) is currently confronting a significant surge in cyberattacks, primarily originating from Russia.
These brute-force assaults are targeting corporate and institutional networks, exploiting Microsoft’s infrastructure in Belgium and the Netherlands to avoid detection.

According to a Heimdal Security report, more than half of the attack IP addresses are linked to Moscow, with additional sources traced to Amsterdam and Brussels.

These attacks are focusing on non-administrative accounts, aiming to facilitate lateral movement within networks.

Approximately 65% of the attack IPs linked to Microsoft were recently compromised, while the remainder have been used in previous malicious activities.

Since May 2024, the attacks have leveraged methods such as password guessing and exploiting weak credentials, utilizing compromised IPs.

The involvement of major ISPs and resources from Indian telecom companies further complicates the cybersecurity landscape, indicating a growing need for more robust defenses and international cooperation to deflect aggressive state-sponsored attacks.

Heimdal’s data reveals that the top brute-force attack techniques employed by Russian threat actors include SMBv1 Crawler, RDP Crawler and RDP Alt Port Crawler.

The SMBv1 Crawler accounts for 32% of attacks, using methods like password spraying and credential stuffing.

The RDP Crawler, responsible for 27% of attacks, and the RDP Alt Port Crawler, used in 8% of attacks, also exploit weak credentials on non-standard ports.

The threat actors (Tas) predominantly used ISPs such as Telefonica LLC and IPX – FZCO. Key targeted cities include Edinburgh, Dublin, Budapest and major urban centers in the UK, Denmark, Hungary and Lithuania.

Morten Kjaersgaard, the founder of Heimdal, explained the complexity and setup are sophisticated, where Russia-linked actors are leveraging trusted European Microsoft infrastructure to wage a shadow war on Europe.

“This is blended with the blunt display of force directly from Kremlin-located IP addresses,” he said.

He added what is especially worrying is that Heimdal has noticed Russian-named individuals operating infrastructure in Europe used in the attacks, indicating infiltration.

“At the same time, the exploitation of compromised Indian telcos is a very interesting political twist, which to me shows that there is no stopping the ambition of the attacker,” Kjaersgaard said.

He recommended high-value targets engage with their security vendor and discuss how to effectively detect brute-force attacks, whilst also removing administrator accounts that might be permanently present.

IAM, MFA and Collective Efforts

Al Carchrie, R&D, lead solutions engineer at Cado Security, said the TA understands that they are more likely to succeed with their objectives by using compromised systems to proxy their attacks — the likelihood of success increases if the proxy system is geographically co-located with the intended target.

He added targeting of telecommunications companies can help facilitate several TA objectives, for example, interception of SMS messages that may contain authentication codes used as part of multi-factor authentication (MFA) procedures or using their infrastructure to proxy their attacks through.

He recommended implementing strong identity and access management (IAM) practices including using long and strong passwords and password managers to help manage and share within an organization.

“Enable MFA for all user accounts, enforcing least privilege access controls — granting only the permissions needed — and regularly review and revoke access for inactive users,” Carchrie said.

He said strengthening cloud security to prevent similar cyberattacks within the EU would require configuring cloud resources to ensure any unused services are disabled, using strong passwords for resources and keeping software up to date to patch vulnerabilities.

“Implement repeatable processes using infrastructure and configuration as code,” he said. “This makes it much less likely for human error to creep into configuration, particularly when compared to making manual changes using the cloud portal.”

Kjaersgaard said the simple answer would be to block everything coming from Russian territories now.

“Especially of a remote desktop protocol connection type, because I don’t see any business needing that kind of activity coming from there these days,” he said. “We, as a cybersecurity industry, also need to stand together better.”