Key findings
- Between June and July 2025, Ukraine-based autonomous system FDN3 – AS211736, allocated by the entity FOP Dmytro Nedilskyi, was used to launch multiple hundreds of thousands of brute force and password spraying attacks against SSL VPN and RDP devices, over a period of up to three days.
- We believe with a high level of confidence that FDN3 is part of a wider abusive infrastructure composed of two other Ukrainian networks, VAIZ-AS (AS61432) and ERISHENNYA-ASN (AS210950), and a Seychelles based autonomous system named TK-NET (AS210848). Those were all allocated in August 2021 and often exchange IPv4 prefixes with one another to evade blocklisting and continue hosting abusive activities.
- Strong partnership and ramifications with other criminal entities could be established. This includes Ecatel’s front network in Seychelles “IP Volume Inc.” (AS202425), used as the main transit provider for most of the autonomous that compose this abusive infrastructure and also used to launch the same types of attacks at the same period through prefixes rented by VAIZ-AS. There is also Virtualine, a bulletproof hosting solution managing a network registered in the United States, KPROHOST LLC (AS214940), which exchanged prefixes with FDN3.
- Despite being reannounced by a new network, the prefixes continue to emit the same type and high levels of attacks. It may means that a common administrator could be operating all the networks while also moving them to evade blocklisting and attribution.
Intrinsec’s CTI services
Organisations are facing a rise in the sophistication of threat actors and intrusion sets. To address these evolving threats, it is now necessary to take a proactive approach in the detection and analysis of any element deemed malicious. Such a hands-on approach allows companies to anticipate, or at least react as quickly as possible to the compromises they face.
For this report, shared with our clients in January 2025, Intrinsec relied on its Cyber Threat Intelligence service, which provides its customers with high value-added, contextualized and actionable intelligence to understand and contain cyber threats. Our CTI team consolidates data & information gathered from our security monitoring services (SOC, MDR …), our incident response team (CERT-Intrinsec) and custom cyber intelligence generated by our analysts using custom heuristics, honeypots, hunting, reverse-engineering & pivots.
Intrinsec also offers various services around Cyber Threat Intelligence:
- Risk anticipation: which can be leveraged to continuously adapt the detection & response capabilities of our clients’ existing tools (EDR, XDR, SIEM, …) through:
-
- an operational feed of IOCs based on our exclusive activities.
- threat intel notes & reports, TIP-compliant.
-
- Digital risk monitoring:
-
- data leak detection & remediation
- external asset security monitoring (EASM)
- brand protection
-
For more information, go to www.intrinsec.com/en/cyber-threat-intelligence/.
