A Ukrainian-based hacker network known as FDN3 has been conducting large-scale brute-force attacks against SSL VPN and RDP devices throughout 2025. The campaign, which peaked in July but continues into September, has direct connections to major ransomware groups including Black Basta and RansomHub.

Attack Campaign Details

The FDN3 network has been systematically targeting VPN infrastructure using sophisticated methods:

• SSL VPN Exploitation: Brute-force attacks on enterprise VPN gateways
• RDP Targeting: Remote Desktop Protocol credential stuffing campaigns
• Ransomware Delivery: Initial access for Black Basta and RansomHub operations
• Credential Harvesting: Stolen credentials sold on dark web marketplaces

UK Impact Assessment

Ransomware Connection

Intelligence sources have confirmed direct links between FDN3 and major ransomware operations:

• Black Basta: Using compromised VPN access for network infiltration
• RansomHub: Leveraging stolen credentials for lateral movement
• Access Brokerage: Selling VPN access to multiple cybercriminal groups
• Double Extortion: Data theft preceding encryption attacks

Immediate Protection Measures

VPN Provider Response

Major VPN providers have implemented enhanced security measures in response to the ongoing attacks:

• Increased monitoring of authentication attempts
• Enhanced anomaly detection systems
• Mandatory security updates for enterprise clients
• Additional verification requirements for suspicious logins

Expert Recommendations

Cybersecurity experts recommend UK organizations take immediate action:

Ongoing Monitoring

The FDN3 campaign represents a significant and ongoing threat to UK cybersecurity. Organizations using VPN services should maintain heightened security postures and work closely with cybersecurity providers to ensure adequate protection against these sophisticated attacks.