F5 Labs, in conjunction with our partner Baffin Bay Networks, researches global attack traffic region to region to gain a deeper understanding of the cyber threat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way non-standard ports are used for HTTP and SSH.
In this latest data collection, we looked at malicious traffic over the same 90-day period—October 1, 2019 through December 31, 2019—in the United States (U.S.), Canada, Europe, Russia, the Middle East, Asia (excluding China), and Australia. Our sensors and tracking systems are constantly evolving, which gives us a unique snapshot of the threat landscape at any given time. The attack landscape targeting systems in Russia during the winter of 2019 was characterized by a large number of unique attacking IP addresses, which only targeted systems in Russia.
- SoftLayer Technologies Inc., with IP addresses geographically located in the Netherlands, launched the most attack traffic directed towards systems in Russia.
- Attack traffic originating from IP addresses inside Russia accounted for the most attack traffic attributed by any nation. This kind of traffic is particularly hard to filter as it requires behavioral detection versus geographical IP address blocking.
- The top targeted port, SMB port 445, and the third most attacked port, SSH port 22, were commonly targeted across the world because exploiting a vulnerability on either of these services can give a malicious actor access to the entire system.
- Swiss Exchange port 7326 was only attacked on Russian systems. This traffic was first noticed in October and only targeted Russia. This is notable, given the potential financial implications and the fact that this was not a top attacked port anywhere else in the world during this time period.
Top Source Traffic Countries
Before we look at the top “source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses. The phrase “top source traffic countries” does not necessarily mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could have come through a proxy server, compromised system, or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”
Globally, the most attack traffic was seen coming out of IP addresses assigned in Russia. However, we cannot assign attribution on this traffic because we only have the geolocation of the IP address. We’ve seen a large increase in traffic coming out of Russia and Moldova related to the port 5900 targeting we saw starting in the summer of 2019, which we are still actively investigating. Italy, Singapore, the U.S., and the Netherlands round out the top five for sources of global attack traffic. The full top ten source traffic countries were seen attacking all regions of the world. Moldova is a relative newcomer to this list, again due to the global VNC port 5900 attack campaign.
When zooming in on Russia specifically, we found it notable that Russia itself is the top attacking source traffic country. This type of behavior can be more difficult for enterprises to filter out as it requires behavioral detection versus geographical IP address blocking, assuming that businesses want to remain accessible to customers within their region.
IP addresses located in Argentina, appearing in both the top source traffic list and the top attacking IP addresses list, were only seen targeting Latin America and Russia during this time period. The top attacking IP address targeting Russian systems came from Argentina, as well. This represents the largest volume of attack traffic coming from a single IP address. Other threat actors took a more distributed approach, with eight IP addresses out of the top 50 attacking IP addresses located in Russia and seven geolocated in the United States and Germany. This distributed style of attack is deliberate and takes more resources (systems and human effort) to carry out, and therefore is often attributed to more sophisticated threat actors. The other countries in the top ten were all seen attacking all regions of the world.