Nasty
But mitigation isn't too difficult.
I have some WP sites (thankfully few) but security plugins (All-In-One???) really reduce the risk. Not using default login page names, locking out the site after multiple failed logins etc.
But I've noticed for years that my server logs are full of failed attempts at logging in to WP, even when I don't use WP!
Surely there is some way to develop IP blacklists for addresses that clock up, say, 50 failed WP login attempts in 24 hours, and the ISP then kills the IP address and tells all the others.