Anecdotal evidence indicates that it may be possible to predict developments in real world conflicts from certain indicators in cybercrime traffic.
Is it possible to glean useful information about international developments or even predict real world attacks from the activity that we record in the logs of Internet-facing systems?
Note: A trackerless (other than my webserver log) version of the article is now available on my web site.
Looking at data I collect for other, quite pragmatic, reasons I see a clear correlation between the run-up to the Russian invasion of Ukraine earlier this month and the password guessing activity targeting non-classified systems in my care.
I'll be backing up that assertion with data later, but first, a bit of background.
As returning readers already know, I have been running Internet facing systems for a select group of friends and family for decades. In the late noughties I noticed a pattern of slow, distributed password guessing that I dubbed The Hail Mary Cloud, summed up in the summary article linked here and links therein. The data I collect from those failed logins make it into a set of blocklists, along with data from a few other sources. And yes, this is also one source of new spamtraps, as noted in the blocklists article.
A few years after the original Hail Mary Cloud events, in January 2016, I started seeing Hail Mary-like activity again, and started collecting data (available in the raw here), but failing to see any new patterns worth writing about, never started a new article based on the data. Until now, that is.
The table here has the totals for number of attempts per month since then (the table as a .csv file is available here):
Failed SSH login attempts per month, 2016 - 2022
2016 | 2017 | 2018 | 2019 | 2020 | 2021 | 2022 | |
Jan | 27015 | 348020 | 17738 | 35143 | 34882 | 42866 | 2355 |
Feb | 121675 | 329074 | 2115 | 32053 | 60605 | 39029 | 24218 |
Mar | 62254 | 498613 | 4648 | 29839 | 37477 | 29575 | |
Apr | 94335 | 271992 | 9588 | 38310 | 29941 | 27876 | |
May | 26428 | 106688 | 4782 | 55485 | 46207 | 24455 | |
Jun | 71321 | 65966 | 10831 | 75515 | 21947 | 36292 | |
Jul | 39088 | 49675 | 5865 | 47619 | 57082 | 20225 | |
Aug | 162529 | 65899 | 7631 | 59421 | 14030 | 62002 | |
Sep | 183196 | 26007 | 5804 | 85336 | 17814 | 31179 | |
Oct | 165295 | 16109 | 8211 | 82020 | 38185 | 6812 | |
Nov | 184660 | 28234 | 5395 | 58547 | 20734 | 3814 | |
Dec | 127288 | 15049 | 38320 | 82739 | 33650 | 5509 |
Failed SSH login attempts February 2022
Feb 1: 66
Feb 2: 13
Feb 3: 50
Feb 4: 31
Feb 5: 35
Feb 6: 85
Feb 7: 13
Feb 8: 70
Feb 9: 28
Feb 10: 13
Feb 11: 32
Feb 12: 13
Feb 13: 48
Feb 14: 28
Feb 15: 30
Feb 16: 337
Feb 17: 2006
Feb 18: 1906
Feb 19: 1608
Feb 20: 2113
Feb 21: 2207
Feb 22: 2424
Feb 23: 1978
Feb 24: 2976
Feb 25: 3044
Feb 26: 2071
Feb 27: 992
The developments stand out even clearer when presented as a graph:
Then on the day of the attack, I tweeted:
My regular readers will probably not be surprised to hear that #hailmary-ish #ssh #password guessing is way up (from historically low levels) during the last few days. I ponder doing a writeup. Should I go ahead and do that?
— Peter N. M. Hansteen (@pitrh) February 24, 2022
If you do not want to wait for those write-ups, you are welcome to go ahead and analyse the data (as long as any reuse or resulting analysis credits the source) -- the archive is here while the data for the month so far can be found here (note: that link always points to freshest collection for the current month).
If you too collect logs on similar activity and you are able to share data or analysis, I would like to hear from you.
The numbers for failed ssh logon attempts in March so far are:
Notice that the the number of attempts before noon today already exceeds the total for the previous day. We may be seeing the preparation for another offensive or other event in need of propaganda or other cybercrime support. Stay tuned for updates.