Key facts
- Attackers used a 45-GPU cluster to crack SSL VPN authentication hashes.
- The cracking operation led to full network compromises at multiple organizations.
- Classified defense documents were exfiltrated from a Turkish NATO defense contractor.
- The attackers employed an innovative, recursive password cracking system.
- Thousands of organizations, including major companies and government agencies, were affected.
A sophisticated password-cracking operation has resulted in the compromise of thousands of organizations worldwide, according to cybersecurity firm Hudson Rock. The attackers utilized a massive, dedicated cluster of 45 GPUs, managed by a system called Hashtopolis, to intercept and crack SSL VPN authentication hashes.
This aggressive methodology allowed threat actors to gain access to Active Directory environments and other centralized authentication systems. Researcher Diachenko confirmed that this led to full network compromises across multiple organizations in countries including Japan, Taiwan, Vietnam, Iraq, and Turkey. Most alarmingly, classified defense documents were exfiltrated from a Turkish NATO defense contractor.
The password cracking techniques employed were highly innovative, featuring a feedback-driven, 12-level recursive system. Instead of a simple dictionary attack, password candidates were generated from custom dictionaries, common keyboard patterns, and cracking rules, with successful guesses feeding back into the system to generate more sophisticated attempts. This iterative improvement distinguished the attackers' approach.
Despite their technical sophistication in cracking, the attackers exhibited poor operational security, leaving artifacts on their servers, which are considered amateur mistakes in hacker circles. The top countries where compromised devices were found include India, the US, Taiwan, Mexico, Turkey, and Thailand. The most affected industries were IT services, construction materials, telecommunications, construction and engineering, industrial equipment, and financial services. Major companies such as Foxconn, Samsung, Comcast, Siemens, PwC, and Accenture were among those whose data appeared in the compromised database, alongside thousands of other organizations, including government agencies and critical infrastructure providers.
Firewalls, a common network entry point, were identified as a key vector for these attacks. The availability of this compromised data to cybercriminals poses a substantial risk to network security.