Ukrainian Network FDN3 Behind Large-Scale Brute-Force Attacks on SSL VPN and RDP Devices

A Ukrainian network known as FDN3 has been identified as the source of large brute-force attacks targeting SSL VPNs and Remote Desktop Protocol (RDP) devices. Security researchers observed these attacks during June and July 2025, with the most intense surge recorded between July 6 and July 8. Instead of quick hits, some of the campaigns lasted for as long as three days, flooding targeted systems with endless login attempts.

FDN3 is officially listed as AS211736, but investigators quickly realized that it is not acting alone. According to Intrinsec, FDN3 is part of a cluster of abusive networks that also includes VAIZ-AS (AS61432), ERISHENNYA-ASN (AS210950), and a Seychelles-registered provider called TK-NET (AS210848). These networks work together by swapping IPv4 prefixes, a trick that helps them dodge blocklists and continue their attacks without being immediately shut down.

What makes this more concerning is the connection to IP Volume Inc. (AS202425), a company based in Seychelles. This company has ties to the former Dutch bulletproof hosting firm Ecatel, which was once notorious for supporting cybercriminals. IP Volume now serves as a transit provider for FDN3 and related networks, enabling attackers to move their traffic freely while keeping their infrastructure alive. The shifting of prefixes between networks while maintaining the same attack patterns strongly suggests a shared administrator or coordinated group behind the activity.

Intrinsec also pointed out that some prefixes currently used by FDN3 had been previously associated with other providers. These include SibirInvest OOO (AS44446) in Russia and Virtualine/KPROHOST LLC (AS214940) in the United States. This recycling of address space shows how attackers cleverly reuse old or abandoned resources, making it much harder for defenders to trace their activities back to a single origin.

The method of attack itself is simple but highly effective. FDN3 and its partners are carrying out brute-force and password spraying attacks against publicly exposed VPN and RDP systems. By repeatedly guessing login credentials, they exploit weak or reused passwords until they manage to break in. These types of intrusions are especially dangerous because they provide attackers with a direct path into corporate environments, bypassing many traditional defenses.

This approach is not new. In fact, it aligns closely with tactics used by ransomware-as-a-service groups such as Black Basta, GLOBAL GROUP, and RansomHub. While the current activity has not been directly tied to those groups, it mirrors the exact methods they typically use to gain their initial foothold before deploying ransomware inside a network. This overlap raises concerns that the brute-force activity linked to FDN3 could be paving the way for more destructive operations later on.

The timing and persistence of these campaigns also highlight the scale of the threat. The peak in early July was not a minor event it represented a record level of activity for the network, and the fact that some attacks continued for up to 72 hours shows determination and resources. It is clear that this is a coordinated and organized effort, not just random individuals running password guessers.

The evidence reveals a bulletproof-style hosting ecosystem fueling global cyberattacks. By swapping prefixes and using providers like IP Volume Inc., FDN3 operators sustain long-term brute-force campaigns. For organizations, this highlights the urgent need for multi-factor authentication, strict access controls, and continuous monitoring without which attackers will keep exploiting weak points worldwide.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news