Coordinated SSH Brute-Force Attacks Spiked 2100% Amid Geopolitical Tensions, Honeypot Data Shows
A SANS ISC guest diary analyzing over 20 million SSH brute-force attempts from February to May 2026 reveals coordinated probing spikes correlated with CISA advisories and geopolitical events.
A SANS Internet Storm Center guest diary published Wednesday provides a detailed analysis of over 20 million SSH brute-force attempts captured by a DShield honeypot between February 17 and May 26, 2026. The report, authored by intern Adam Nason, reveals that scanning activity was closely correlated with major cybersecurity advisories, geopolitical tensions, and botnet-driven campaigns, with daily attempts spiking over 2100% in late February.
The honeypot, running on a Raspberry Pi 4 isolated from the researcher's home network, logged a quiet baseline of 200 to 400 daily attempts during its first week. However, on February 25, a sudden surge of over 2100% was observed. This spike coincided with CISA's publication of Emergency Directive 26-03, which addressed vulnerabilities in Cisco's software-defined wide-area network (SD-WAN) solutions, and rising conflict between Iran, Israel, and the United States.
Scanning activity peaked on March 8, with over 300,000 events collected in a single day. The report notes that this peak occurred as tensions between Iran, Israel, and the US continued to escalate, with both advanced persistent threats and opportunistic botnets becoming more active. From March 9 to April 14, daily probes remained above 50,000, often exceeding 100,000, with periodic spikes and dips suggesting automated attack campaigns.
A rapid decline to just over 23,000 attempts was observed on April 15, but activity rebounded in late April and early May. A second spike of 244,344 probes was recorded on May 2, just 24 hours after CISA published a major Linux vulnerability advisory. Following the extension of a ceasefire between Iran and the United States, daily log observations dropped nearly 95% from May 15 to 23, as opportunistic threat actors lost interest.
The analysis identified strong geographic and ASN clustering among the top ten probing IP addresses, with DigitalOcean (AS14061) and M247 (AS9009) showing activity from multiple countries. Synchronized scanning bursts using identical SSH client fingerprints and HASSH fingerprints were observed within minutes across different countries, indicating coordinated attacks. One specific HASSH fingerprint (03a80b21afa810682a776a7d42e5e6fb) appeared in 702,706 events, suggesting a single managed attack toolkit deployed globally.
Evidence of botnet quota assignment was also found, with throttled scan rates indicating a controller assigning workloads to botnet zombies. The report concludes that SSH brute-force activity is highly responsive to external events, with threat actors quickly pivoting to exploit new vulnerabilities and geopolitical developments. The full diary is available on the SANS ISC website.