Historically, Finland has not been targeted by a high number of cyber-attacks, but digital assaults spiked in the days prior to the July 16 meeting between U.S. President Donald Trump and Russian President Vladimir Putin in Helsinki.
The massive rise in cyber-attacks isn’t surprising, given the precedent established earlier this year, when Singapore received a massive wave of attacks from June 11 to June 12, during the Trump-Kim summit.
While most of the cyber-attacks observed during President Trump’s meeting with the North Korean leader appeared to originate from Russia, those observed last week were mainly launched from China, F5 reports.
The Finland and Singapore cyber-attacks showed some similarities in targeted ports, which included SIP port 5060, which is typically used by VoIP phones (#3 in Finland attacks, #1 in Singapore attacks), SQL port 1433 (#6 in Finland, #3 in Singapore), and Telnet port 23 (#3 in Finland, #9 in Singapore).
The most attacked port in the new wave of assaults, however, was SSH port 22, followed by SMB port 445. SSH is often used for the secure remote administration of Internet of Things (IoT) devices, but vendors often secure devices with easily guessable credentials, which turns these products into easy targetes for cybercriminals.
“The device credentials are typically vendor defaults and, as such, are routinely brute forced. The majority of the attacks against Finland surrounding the Trump-Putin meeting were brute force attacks,” F5 notes.
The Finland assaults also targeted ports that weren’t seen in the Singapore attacks, including HTTP port 80, MySQL port 3306, the alternate web server port 8090, often used for web cameras, and RDP port 3389.
Despite the massive spike in cyber-attacks targeting Finland between July 12 and July 15, the country remained far behind top targeted countries. Compared to Canada, which typically makes it to top 10 but not top 5, Finland received on a small fraction of cyber-attacks on July 12 and July 14 and “doesn’t even register on the chart,” F5 says.
The top targeting countries during the spike were China (29%), United States (14%) and France (9%), followed by Italy (8%) and Russia (7%). Many of the attacks originated from networks usually seen launching such attacks, the security researchers say.
ChinaNet, consistent
ly at the top of the threat actor network list globally, remained the top attacking network during the attack spike.
Such attacks, F5 notes, are possible because of the rise of poorly secured IoT devices. By targeting vulnerable devices, nation-states, spies, mercenaries, and others can easily launch attacks against anyone.
“If threat actors can follow anyone from an average citizen to a CIA agent, why not President Trump, or any member of his official entourage? They are perhaps the highest valued intelligence targets on the planet right now. Even allied state actors have an interest in gaining eyes or ears into any member of the Trump entourage,” F5 notes.
Related: Trump-Kim Summit Attracts Wave of Cyber-Attacks on Singapore