Threat Intelligence Briefing

Global threat activity changed by several orders of magnitude (34,504 → 1,969,539 events), representing a massive deviation from the previous period and indicating a widespread, coordinated campaign. This surge is primarily driven by aggregated threat and reconnaissance traffic, with the US, China, and the Netherlands as top source countries. Nordic countries show elevated but proportional activity, with Sweden (2,771 events) and Finland (2,200) seeing the highest volumes, primarily from abuseipdb_blacklist and reconnaissance categories. The cluster 87.251.64.144/29, originating from the US and flagged for SSH brute-forcing, is a significant repeat offender warranting immediate attention. Focus mitigation efforts on blocking the persistent /29 cluster (<a href="https://ip.wayscloud.services/ip-intelligence/87.251.64.144" target="_blank">87.251.64.144</a>-149) at the network level rather than individual IPs. Consider implementing temporary rate-limiting for SSH traffic from ASNs historically associated with high-volume scanning. Prioritize monitoring for reconnaissance patterns across Nordic networks, as this surge in scanning activity often precedes more targeted attacks. Deprioritize individual IPs from the general noise, as the primary threat is the coordinated campaign, not isolated events.