New research from Hewlett Packard Enterprise (HPE) reveals that cybercriminal groups such as Akira are methodically studying VPN technologies to uncover weak points before carrying out attacks.
The findings come from HPE’s “In the Wild” threat report, which merges threat intelligence from HPE and its recently acquired network security subsidiary, Juniper Networks. The report shows that attackers are closely examining which VPN platforms are most commonly deployed, how quickly organizations apply security updates, and where configuration errors are most likely to occur.
One example highlighted in the report is the well-known Akira ransomware operation, which frequently targets small and mid-sized organizations. According to HPE, the group is known for conducting detailed analysis of VPN vulnerabilities as part of its intrusion planning process.
“By identifying the specific VPN solutions used by a target organization, the group customized its tooling accordingly mirroring the way businesses conduct market research before launching a product,” the report notes.
That preparation has proven effective. HPE observed that this level of reconnaissance has resulted in higher breach success rates and faster ransomware deployment once attackers gain access.
Remote access systems under heavy focus
Rather than relying on random or opportunistic exploitation, threat actors are increasingly prioritizing attack paths that offer the greatest likelihood of success. Trusted remote access technologies—particularly those that provide direct connectivity into corporate environments are now a primary focus.
This attention extends beyond VPNs to the broader network edge, including VPN gateways, firewalls, and remote access appliances. Positioned at the boundary between internal networks and the internet, these systems often combine elevated privileges with external exposure, effectively serving as what researchers describe as “a direct route into” organizational environments.
The scale of targeting underscores this trend. HPE researchers recorded more than 4,700 remote code execution attempts against digital video recorders (DVRs), along with approximately 3,500 exploit attempts aimed at Huawei routers.
The data also illustrates how attackers are exploiting a wide array of internet-connected devices many of which are frequently overlooked in security programs. For example, more than 2,700 exploit attempts were directed at network-enabled printers, as well as devices running Realtek components commonly found in routers and IoT hardware.
HPE further noted that successful intrusions often begin with compromised consumer-grade devices, such as hijacked home-office routers or personal equipment, which are then used as stepping stones into enterprise networks.
As a result, these tactics contribute to what the report describes as “an interconnected threat landscape,” spanning from home environments to critical organizational systems.
Campaign infrastructure linked to the Seychelles
The report also sheds light on the geographic aspects of modern cybercrime, noting that many operations now resemble highly organized, enterprise-scale campaigns focused on financially lucrative targets.
Researchers observed that infrastructure associated with the Seychelles appeared repeatedly across multiple attack campaigns. Despite its relatively small population of just over 120,000, the island nation surfaced alongside major countries such as the United States, China, the United Kingdom, and Russia.
HPE emphasized that this does not necessarily indicate that attackers are physically located in these regions. Instead, such locations may offer lower regulatory oversight and increased anonymity, making them appealing environments for hosting malicious infrastructure.
In the case of the Seychelles, HPE linked the spike in attacker-associated IP addresses to the presence of bulletproof hosting providers operating in the region. These services exploit jurisdictional gaps such as offshore server placement and limited enforcement capabilities to shield criminal activity.
“These providers take advantage of legal and regulatory blind spots, offering threat actors a safe haven from takedowns and investigations,” the report concluded.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
