Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: How is Ukrainian internet holding up during the Russian invasion? - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
How is Ukrainian internet holding up during the Russian invasion?

The current war in Ukraine has from the beginning had a strong “cyber” component to it. Even in the lead up to the actual invasion of Russian forces into Ukrainian territories there have been significant attacks made against Ukrainian systems, most notably with the use of the WhisperGate wiper[1], and offensive activities targeting Ukraine’s infrastructure have hardly abated since then[2].

Most recently, we have seen what has been called a “powerful attack” against major Ukrainian ISP[3] as well as an attempted attack against an unnamed Ukrainian energy provider using a new version of the Industroyer malware[4]. With attacks like these alongside ever-present DDoSes and the undoubtably significant effects of a kinetic conflict on telecommunication infrastructure, one might expect that the Ukrainian internet landscape would have been seriously reduced, and that a not-insignificant portion of the country’s infrastructure would have been thrown offline.

However, according to most reports, this has not been the case so far[5].

Nevertheless, there don’t seem to be much “objective” data available that would either support or invalidate these reports besides a BGP-level view of prefixes announced by different Ukrainian ISPs, which is provided by some internet monitoring tools (this, however, can’t tell us much about actual reachability of individual internet-connected systems).

I have therefore decided to put together a chart showing the number of Ukrainian web servers (or – to be more exact – number of public IPs in Ukrainian IP space with port 443 open) that Shodan has seen on different days since the beginning of the year. Although the “number of reachable web servers in a country” it is hardly an optimal metric for determining the overall availability of its internet-connected infrastructure, it should be good enough for our purposes.

As we may see, from the beginning of the Russian invasion on February 24th until today, there has been a decrease of nearly 16 thousand web servers in the Ukrainian IP space, which comes to about 12% of the pre-war total.

Although this number is hardly insignificant, and it is clear that both kinetic and “cyber” attacks that have been launched against Ukraine over the last seven weeks have had an effect on the country’s internet, so far, the overall impact either seems to have been relatively minor, or quick response[6] has lessened it significantly. As a result, the Ukrainian internet truly still appears to be holding quite well.

It is worth noting that, overall, significantly larger percentage of web servers “disappeared” from the Russian internet during the same time span. As you may see from the following chart, from the beginning of the invasion until today, the number of webservers seen by Shodan in Russia has decreased by more than 255 thousand, which comes to nearly 23% of the pre-war total.

Although this decrease has probably not been caused only by the recent attacks against Russian systems and the corresponding decisions of certain Russian ISPs to stop announcing their prefixes to the global internet[7], it seems at least within the realms of possibility that the overall impact of the ongoing “cyber war” might be more significant on Russian internet that on the Ukrainian one… Which would be interesting, to say the least.

[1] https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
[2] https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks/
[3] https://portswigger.net/daily-swig/ukrainian-isp-used-by-military-disrupted-by-powerful-cyber-attack
[4] https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
[5] https://therecord.media/ukraine-internet-russia-invasion/
[6] https://twitter.com/dsszzi/status/1501659618954645508
[7] https://twitter.com/DougMadory/status/1499397229164957715

-----------
Jan Kopriva
@jk0pr
Nettles Consulting

Jan

73 Posts
ISC Handler
Apr 13th 2022

Sign Up for Free or Log In to start participating in the conversation!