1 month of attack stats

In this sequel to last month’s blog, A Week of Attack Stats, we are expanding our stat survey using the same data collection methods while excluding the original week’s stats. Let’s see if our assertion of a causal relationship between social isolation and cyber attacks remains true.

About 7,500,000 detected attacks on the LARG*net network were logged during this period with 90% perpetrated by known attackers. In our previous blog 59% of attackers were perpetrated by known attackers, a testament to the infosec industry and their tools if ever you needed proof. The increase in attacks lately identified all of these extra attackers and honeypots like ours contribute directly to this effort.

The number of attacks has doubled relative to normal weekly statistics. Not surprisingly this jump inspired the Canadian government to warn that public sector entities, especially those in health care, are being targeted. Our membership included a number of public sector and health care entities so we are keeping a close eye on the situation.

The breakdown in detection by honeypot is similar to the week statistics. Cowrie jumped from 3rd to 1st place and represents 40% of the attacks. This is, in large part, because Cowrie makes SSH/Telnet ports available and many attackers target them to gain quick access. Dionaea and Herlading both attract around 25% of the attacks each. This breakdown is expected since the other honeypots are much more targeted.

Russia takes first place by originating 23% of the attacks, followed by China at 15%, and eventually Canada with 4% of the attacks. These numbers are similar to last time in terms of number of attacks but, interestingly, the targets have changed slightly.

Russia’s focus has shifted to VNC and file servers from SQL servers.

China and the USA are very similar: both focus on SSH with lesser attacks on SQL and file servers for data exfiltration.

All of the attacks originating from Bulgaria target VNC. Last time this was true of Moldova. Interestingly both neighbour Romania so these attacks are very likely sourced from the same APT group though there isn’t a known group in the area as it’s very difficult to identify them by country.

Ireland is an equal opportunity offender, attacking SSH, HTTP, HTTPS, and SMTP equally. The obvious implication being the same bots are behind all 4 and are also likely to be the same group.

Top ISPs

It is important to note that the ISPs are not the ones attacking and likely their attacking subscribers are unaware of their involvement. They are simply infected computers obeying hacker masters via C&C.

You most likely noticed a homegrown entry on in the list. Part of our security services is vulnerability scanning which tends to look like multiple attacks.

Reach out if you’re in need of security services, we’re here to help.