Russia’s shadow war against Europe has begun as cyber attacks abusing Microsoft infrastructure increase
Russian threat actors targeting Microsoft infrastructure to wage its shadow war
New research from cybersecurity firm Heimdal has showed a huge spike in brute force attacks against corporate and institutional networks across Europe, with most of the attacks originating in Russia.
Brute force attacks are used to gain access to accounts and systems by using trial and error to guess weak passwords.
Russian threat actors have been abusing this technique to exploit Microsoft infrastructure in an effort to avoid detection, with attacks occurring since as early as May 2024 but may have been happening earlier.
Cities, companies and infrastructure under attack
Over half of the attacks originate from IP addresses in Moscow, which are then used to target major cities across a range of countries in Europe, including the United Kingdom, Lithuania, Denmark and Hungary.
Worryingly, the rest of the attack IPs originate in Amsterdam and Brussels, with major ISPs such as Telefonica LLC and IPX-FZCO being abused by the threat actors. Research by Heimdal shows that the attacks are actively exploiting Microsoft infrastructure in the Netherlands and Belgium as a means to increase their attack range and success in Europe.
More than 60% of the IPs used to launch attacks are new, with around 65% of them being recently compromised, and the rest being previously abused by the attackers. The threat actors have been observed abusing SMBv1 crawlers, RDP crawlers and RDP alternative port crawlers to crack weak or default credentials.
Some of the motivations behind the attacks include exfiltrating sensitive data, disrupting services, deploying malware, and financial gain. Much of the work performed by the threat actors covers seek-and-destroy, critical asset disruption, and sabotage.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“This data shows that an entity in Russia is waging a hybrid war on Europe, and may have even infiltrated it. The threat actors are aiming to extract as much data or financial means as possible, leveraging Microsoft infrastructure to do so,” Heimdal founder Morten Kjaersgaard said.
“Whoever is responsible, whether it’s the state or another nefarious group, they have no shame in using Russia’s allies to commit these crimes. The exploitation of Indian infrastructure is a strong example. The data also proves these attackers have strong ties with China,” Kjaersgaard concluded.
More from TechRadar Pro
- A shocking number of workers still haven't received any security training
- Take a look at our guide to the best password managers
- These are the best endpoint protection services
Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.