"While credentials within the files were encrypted, the files also included information that could make it easier for attackers to potentially exploit the related firewall. We are not presently aware of these files being leaked online by threat actors," Crean said, stressing that the incident was "not ransomware or similar event" but the result of "a series of brute-force attacks aimed at gaining access to the preference files stored in backup."
We believe with a high level of confidence that FDN3 is part of a wider abusive infrastructure composed of two other Ukrainian networks, VAIZ-AS ( AS61432) and ERISHENNYA-ASN ( AS210950), and a Seychelles-based autonomous system named TK-NET ( AS210848). Those were all allocated in August 2021 and often exchange IPv4 prefixes with one another to evade blocklisting and continue hosting abusive activities.