A coordinated SSH brute force campaign has unleashed over 20 million attack attempts against internet-facing systems between February and May 2026, with individual organizations experiencing up to 300,000 daily probes during peak periods. (Source: Isc)

The campaign's scale becomes clear when examining the attack distribution. A single honeypot system captured these millions of attempts, suggesting the actual global volume reaches into the billions when accounting for all exposed SSH services worldwide. Attack frequency showed dramatic variations tied to external triggers - surging by 2100% following CISA's Emergency Directive 26-03 about Cisco SD-WAN vulnerabilities, and peaking at over 300,000 daily attempts as geopolitical tensions escalated between Iran, Israel, and the United States.

Geographic analysis reveals a sophisticated command structure operating across multiple countries simultaneously. The campaign leveraged infrastructure from DigitalOcean and M247 hosting providers, with identical attack patterns emerging from the United States and Ukraine within 53-second windows. This synchronization indicates centralized botnet control rather than independent actors - a single HASSH fingerprint appeared in 702,706 events, demonstrating widespread deployment of unified attack toolkits.

"Over 20 million SSH brute force attempts were collected by my DShield honeypot over nearly 100 days."

SSH compromise creates cascading business risks that extend far beyond initial server access. They can move laterally through your network using legitimate administrative protocols, making detection extremely difficult. Your security team sees normal SSH traffic patterns while attackers systematically map internal systems, harvest credentials from memory, and identify valuable data repositories.

The financial implications mirror those seen in similar infrastructure compromises. Organizations typically face immediate costs from incident response teams, forensic analysis, and system remediation. Extended impacts include regulatory penalties for data exposure, customer notification requirements, and potential litigation from affected parties. The ability to maintain business operations during investigation and remediation often determines whether an incident becomes a minor disruption or a major crisis.

Attack timing analysis reveals deliberate throttling and quota assignments across the botnet infrastructure. Individual nodes maintained consistent probe rates with minimal variation - a hallmark of programmed operations designed to avoid triggering rate-limiting defenses. This methodical approach allows attackers to sustain campaigns for months while flying under the radar of basic intrusion detection systems.

Any organization exposing SSH services to the internet faces immediate risk from this campaign. The targeting focuses heavily on default configurations, particularly root user accounts, which remain enabled on countless systems despite decades of security guidance. Cloud infrastructure, development servers, and remote management interfaces represent prime targets, especially when administrators prioritize convenience over security hardening. The campaign's persistence and adaptability mean that systems secure today may become vulnerable tomorrow as attackers refine their techniques based on successful compromises.

Attack Pattern Analysis: How These Botnets Operate

The technical fingerprints of this botnet campaign reveal a sophisticated operational architecture designed for maximum efficiency and minimal detection. Analysis of the HASSH fingerprints captured during the attacks shows remarkable consistency - 702,706 events shared the identical fingerprint (03a80b21afa810682a776a7d42e5e6fb), pointing to centralized tooling deployed across the entire botnet infrastructure.

The synchronization patterns demonstrate military-precision coordination. Two separate attacks from the United States and Ukraine occurred within 53 seconds of each other, both carrying identical SSH version strings and HASSH fingerprints despite originating from different Autonomous System Numbers. This level of coordination requires sophisticated command-and-control infrastructure capable of orchestrating attacks across multiple geographic regions simultaneously.

The botnet operators implemented quota-based workload distribution to their zombie nodes, a technique that reveals careful resource management. Attack rates showed remarkably low variation - certain nodes maintained steady probe rates suggesting programmed throttling mechanisms. This quota system serves dual purposes: preventing individual nodes from triggering rate-limiting defenses while ensuring sustained pressure across the entire attack surface.

Credential targeting followed predictable patterns that expose the attackers' methodology. The overwhelming majority of attempts targeted the 'root' username, demonstrating that attackers still find success with default configurations despite decades of security awareness. The credential lists appear to rotate through common password combinations, though the specific dictionaries remain encrypted within the botnet's command structure.

The timing analysis reveals adaptive behavior linked to external triggers. Attack volumes surged by 2100% immediately following CISA's Emergency Directive 26-03 regarding Cisco SD-WAN vulnerabilities. Within 24 hours of major Linux vulnerability disclosures, probe attempts reached 244,344 in a single day. This reactive pattern suggests the botnet operators maintain active intelligence gathering capabilities, rapidly pivoting their attacks to exploit newly disclosed vulnerabilities.

Geographic clustering around specific hosting providers offers insights into the infrastructure preferences. DigitalOcean (AS14061) and M247 (AS9009) emerged as primary launch platforms, with nodes distributed across multiple countries yet operating from these consistent ASN providers. This hosting pattern indicates deliberate selection of providers with lenient abuse policies or delayed takedown procedures.

The attack cadence exhibited distinct operational phases. Baseline scanning maintained 200-400 attempts daily during reconnaissance periods. Active exploitation phases saw sustained rates exceeding 50,000 daily probes, often surpassing 100,000 during peak campaigns. The abrupt transitions between these phases - particularly the 95% drop during the extended ceasefire period - suggest human operators making strategic decisions rather than purely automated systems.

Port 22 remained the exclusive target throughout the campaign, indicating specialization in SSH compromise rather than broader vulnerability scanning. The persistent focus on a single service suggests the operators possess refined post-exploitation capabilities specifically designed for SSH access, making initial compromise their primary objective rather than broad vulnerability discovery.

Immediate Detection and Response Actions

Organizations facing these coordinated SSH attacks need immediate visibility into their authentication infrastructure. The honeypot data reveals that attackers specifically target root accounts and default SSH configurations - meaning systems with standard settings face immediate compromise risk.

Your security team can implement these detection measures today without disrupting operations. The attack patterns show clear indicators that differentiate botnet activity from legitimate administrative access.

Immediate Actions (Within 24 Hours):

Enable comprehensive SSH logging across all Linux systems to capture failed authentication attempts. Configure your syslog to forward SSH daemon logs to your centralized SIEM platform, ensuring you capture source IPs, usernames attempted, and timestamps. The honeypot data shows attackers maintain consistent probe rates - detecting uniform connection attempts from single IPs indicates active botnet participation.

Deploy rate limiting rules on port 22 through your firewall or intrusion prevention system. Set thresholds at 5 failed attempts per minute from any single IP address, automatically blocking sources for 24 hours after triggering. The observed botnet quota assignments mean legitimate administrators won't trigger these limits during normal operations.

Search your existing authentication logs for connections from DigitalOcean (AS14061) and M247 (AS9009) address ranges. The honeypot captured synchronized attacks from these providers across multiple countries - any successful authentications from these ASNs warrant immediate investigation.

Short-Term Implementation (This Week):

Transition all SSH access to certificate-based authentication, completely disabling password authentication in /etc/ssh/sshd_config. Generate unique key pairs for each administrator, storing private keys in hardware security modules or encrypted vaults. The observed attacks rely entirely on password guessing - removing this attack vector eliminates the threat regardless of botnet sophistication.

Configure dedicated jump servers for SSH access, blocking direct connections to production systems. Place these bastion hosts behind your VPN infrastructure, requiring multi-factor authentication before reaching the SSH login prompt. This layered approach forces attackers to compromise multiple authentication mechanisms rather than targeting exposed SSH directly.

Cross-reference the specific HASSH fingerprint (03a80b21afa810682a776a7d42e5e6fb) against your authentication logs. Any matches indicate your infrastructure has been targeted by this specific botnet campaign. Export these connection attempts for threat intelligence sharing with industry peers.

Long-Term Security Posture (30-90 Days):

Implement privileged access management solutions that provide just-in-time SSH access with automatic credential rotation. Configure session recording for all administrative connections, enabling forensic analysis if compromise occurs. The coordinated nature of these attacks means persistent credentials become permanent vulnerabilities.

Deploy deception technology alongside production systems - honeypots that mirror your real SSH services but contain no sensitive data. Route suspicious connection attempts to these decoy systems, gathering intelligence about attacker techniques while protecting actual infrastructure.

Establish automated response playbooks that trigger when SSH anomalies exceed defined thresholds. Configure your SIEM to automatically isolate systems experiencing brute force attempts, notify security teams, and initiate packet captures for forensic analysis. The predictable patterns in botnet behavior make automated response both feasible and effective.

Attribution Context: Why Chinese Botnet Activity Matters

The attribution to Chinese botnets reveals a complex ecosystem where state interests, criminal enterprise, and opportunistic actors converge. These operations demonstrate characteristics that blur traditional threat categorization - they exhibit the persistence and infrastructure investment typical of state-sponsored activities while maintaining the profit-driven flexibility of cybercriminal networks.

Chinese botnet operations historically follow a dual-purpose model. Government-affiliated groups leverage these networks for intelligence collection during periods of heightened geopolitical tension, while simultaneously allowing criminal elements to monetize the same infrastructure through cryptocurrency mining, spam distribution, and credential sales on dark web markets. This symbiotic relationship provides plausible deniability for state actors while ensuring continuous operational funding.

The timing correlation with geopolitical events - particularly the Iran-Israel-US tensions mentioned in the honeypot data - suggests strategic activation of dormant botnet capacity. Chinese threat actors have demonstrated this pattern repeatedly: maintaining baseline scanning activity during stable periods, then dramatically escalating operations when global attention focuses elsewhere. The February-March surge coinciding with Middle East tensions follows this established playbook.

SSH brute force attacks remain attractive to Chinese botnets precisely because of their simplicity and effectiveness ratio. Unlike sophisticated zero-day exploits that require significant development resources and burn valuable capabilities upon discovery, SSH attacks leverage human weakness - poor password hygiene and unchanged default configurations. The return on investment becomes compelling when considering that a single compromised server in a corporate network can provide persistent access worth tens of thousands of dollars on underground markets.

The quota-based attack patterns observed in the honeypot logs align with known Chinese botnet operational doctrine. Rather than overwhelming targets with maximum-speed attacks that trigger defensive responses, these groups employ patient, distributed approaches that stay below detection thresholds. Each bot receives specific daily targets and attempt limits, creating attack traffic that mimics legitimate failed login attempts from forgetful administrators.

Economic motivations drive much of this activity beyond traditional espionage goals. Compromised SSH access enables cryptojacking operations that generate steady revenue streams, particularly valuable given cryptocurrency's role in circumventing international sanctions and funding covert operations. Additionally, these botnets harvest credentials for resale to other threat actors, creating a self-sustaining criminal economy.

The infrastructure clustering around providers like DigitalOcean and M247 reflects deliberate operational security choices. These hosting providers offer easy account creation, cryptocurrency payment options, and limited abuse reporting enforcement - ideal conditions for botnet command nodes. Chinese operators frequently rotate through legitimate cloud infrastructure to avoid the reputational indicators associated with traditional bulletproof hosting.

Understanding these motivations helps contextualize the threat beyond simple intrusion attempts. Organizations facing these attacks aren't random targets but part of a broader intelligence gathering and monetization strategy. The persistence demonstrated - maintaining operations despite law enforcement actions and security advisories - indicates these campaigns will continue regardless of defensive improvements, merely shifting tactics and targets based on resistance encountered.

Detection Signatures and Monitoring Strategy

Security teams need detection capabilities that identify botnet behaviors distinct from legitimate administrative activity. The honeypot infrastructure captured specific patterns that differentiate automated attacks from human operators.

Deploy these Elasticsearch queries against your SSH authentication logs to identify quota-driven scanning patterns. The honeypot data revealed attackers maintaining consistent probe rates - searching for connections arriving at regular intervals exposes botnet activity:

GET /ssh-logs-*/_search { "aggs": { "by_source": { "terms": {"field": "source_ip"}, "aggs": { "time_diff": { "serial_diff": { "buckets_path": "_count", "gap_policy": "skip" } } } } } }

Alert when variance between connection attempts falls below 5% - this indicates automated scanning versus human-initiated connections which show natural variation.

The synchronized attacks from different geographic locations require correlation rules that detect simultaneous authentication failures. Configure your SIEM to trigger when identical usernames appear from multiple source IPs within 60-second windows:

index=ssh_logs eventtype=failed_auth | bin _time span=1m | stats dc(src_ip) as unique_sources values(src_ip) as source_list by username _time | where unique_sources > 2

Set thresholds based on your environment's baseline. The honeypot observed burst patterns where single IPs generated between 50 and 200 attempts per hour during active campaigns. Organizations with fewer than 100 Linux servers should alert on any source exceeding 20 failed attempts per hour.

DigitalOcean (AS14061) and M247 (AS9009) infrastructure dominated the attack sources. Block these ASN ranges at your perimeter if you don't conduct business with their hosted services. The clustering analysis revealed these providers host significant botnet infrastructure across multiple countries.

Hunt for these specific authentication patterns in your historical logs. The campaign consistently targeted default usernames beyond just root - search for failed attempts against admin, ubuntu, debian, and oracle accounts. These username selections indicate automated tools probing for common cloud instance defaults:

grep -E "Failed password for (root|admin|ubuntu|debian|oracle)" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn

Monitor for SSH client version anomalies. The botnet infrastructure transmitted uniform version strings across thousands of connections. Flag any source IP presenting multiple different SSH client versions within a 24-hour period - legitimate users maintain consistent client software while botnets rotate through various configurations.

The timing analysis revealed attack waves correlating with vulnerability announcements. Implement automated threat intelligence feeds that trigger enhanced monitoring when CISA publishes emergency directives. The February 25th spike occurred within hours of ED 26-03's release - your detection systems need similar responsiveness.

Configure rate limiting that accounts for distributed attacks. Traditional fail2ban rules blocking individual IPs prove ineffective against coordinated campaigns. Instead, implement connection limits per username across all source IPs - when root receives 100 total failed attempts from any combination of sources within 5 minutes, temporarily disable that account's SSH access.

These detection patterns emerged from analyzing millions of actual attack attempts. Your security operations center can implement these queries immediately to identify similar botnet activity targeting your infrastructure.

Why This Attack Works and What Organizations Underestimate

The fundamental disconnect between security teams and executive leadership regarding SSH brute force attacks stems from a dangerous misconception: these attacks appear primitive, therefore they must be ineffective. The honeypot data tells a different story.

Consider the mathematics of persistence. When attackers execute 300,000 daily probes against a single target, they're not hoping for luck - they're exploiting probability. Even with a 0.01% success rate, that yields 30 compromised credentials per day from just one target. Multiply this across thousands of internet-facing servers, and the economics become clear: botnet operators achieve profitable compromise rates through sheer volume.

The honeypot logs reveal why organizations consistently underestimate this threat. Attack traffic blends seamlessly with legitimate failed authentication attempts. Security teams reviewing authentication logs see hundreds of failed root login attempts and dismiss them as background noise. What they miss is the pattern - these aren't random attempts but carefully orchestrated campaigns testing credential combinations derived from previous breaches, common password lists, and targeted intelligence gathering.

The technical simplicity masks operational sophistication. These botnets don't need zero-day exploits or advanced malware. They exploit three universal truths about enterprise environments:

• Default configurations persist longer than anyone admits - the honeypot captured millions of attempts targeting 'root' accounts, which many organizations never disable
• Password policies focus on complexity over uniqueness - forcing users to create P@ssw0rd123! variations that appear in every wordlist
• SSH remains exposed to the internet for convenience - remote administration requirements override security concerns

The quota-driven attack patterns discovered in the logs demonstrate industrial-scale optimization. Botnets maintain precise attack rates to avoid triggering rate-limiting defenses while maximizing coverage. This isn't spray-and-pray; it's calculated resource allocation designed to fly under detection thresholds.

Most critically, organizations fail to understand the cascading impact of a single compromised SSH account. Unlike web application breaches that might expose limited data, SSH access provides a beachhead for complete infrastructure compromise. Attackers gain command-line access to internal systems, can pivot through network segments, and establish persistent backdoors - all while appearing as legitimate administrative activity.

The geopolitical correlation adds another dimension organizations overlook. The data shows attack volumes surging during international tensions and immediately following vulnerability disclosures. These aren't coincidences - they're indicators that botnet operators monitor global events and cybersecurity advisories as closely as defenders do. When CISA published emergency directives, attack volumes increased over 2100% within days. Attackers know organizations struggle to patch quickly, creating windows of guaranteed vulnerability.

The shared HASSH fingerprints across 702,706 events prove these aren't disparate actors but coordinated campaigns using standardized tooling. This centralization means successful techniques propagate instantly across the entire botnet. When one attacker discovers a working credential combination or vulnerable configuration, that intelligence feeds back to the controller and redistributes to all nodes.

Organizations betting on obscurity or assuming attackers won't find their systems fundamentally misunderstand modern reconnaissance. These botnets continuously scan the entire IPv4 address space, cataloging every exposed SSH service. There's no hiding - only hardening.