The analysis of the sources of the attack revealed that they were devices with open ports 2000 and 5678 (2000 “Bandwidth test server” and port 5678 “Mikrotik Neighbor Discovery Protocol”), a combination that suggests the involvement of Mikrotik systems.
The vendor in the Baltic region is suspected to be the Latvian company MikroTik, compromised devices from the vendor were employed in multiple botnets in the last couple of years. Threat actors exploited known vulnerabilities in the targeted devices that were running old software because owners did not patch them.