Russian military ‘forces’ compensate for their shortcomings not only by shooting up civilian houses and killing innocent people. They’re also causing more harm than ever online!

Apparently, the aggressor ramped up cyberattacks on Ukrainian Internet users. Internet company Quad9, a free ‘anycast’ DNS platform, reported blocking ten times the normal number of malware and phishing attacks directed at Ukrainians. 

For those unaware, DNS, or Domain Name System, is a globally distributed phone book that maps website names to numeric Internet addresses. Thanks to it, we get [website.com] and not [8.8.4.4.]. Our devices generate DNS lookups everytime we send or receive emails or browse the web… but let’s get back to the main topic. 

Quad9 protects its users from different cyberattacks by blocking DNS requests for domain names that host malicious software and phishing pages. The ratio of allowed queries coming from Ukraine was fairly constant, that is, until the war started. 

Now there are ten times more rejected requests coming from Ukraine, meaning ten times more actions directed at Ukrainian users that Quad9 has to divert.

Spike in malicious traffic targeting Ukrainian users.

“The spike in that blocking ratio in the afternoon in Kyiv was around 10x the normal level when comparing against other cities in Europe. While Ukraine always is slightly higher (20%-ish) than Western Europe, this order-of-magnitude jump is unprecedented. Looking three weeks ago on the same day of the week as yesterday, we had 118 million total block events, and of that 1.4 million were in Ukraine and Poland. Our entire network saw yesterday on March 9th 121 million blocking events, worldwide. Of those 121 million events, 4.6 million were in Ukraine and Poland.” - shares John Todd, a general manager of Quad9.

There are a few reasons for Poland being under attack here. Warsaw is the next closest significant interconnection site for Ukraine’s networking, which experienced lots of outages recently. Poland is also one of the premier destinations for Ukrainian refugees, as more than 1.4 million have sought safety in the neighboring country. Even away from the warzone, normal people are at risk of suffering from cybercrooks.

Cyberattacks against Ukrainian government and civilian systems are nothing new, but the increased volume of DDoS and ‘wiper’ attacks against banks, gov agencies and contractor networks coincides with the start of the attack which happened in the last week of February. 

Just like on the field, there’s a great deal of low-level attacks ongoing currently against Ukrainians and not an all out cyber assault. This phenomena could be explained with sanctions against Russia, such as two major Internet providers refusing to route traffic for Russia. 

London Internet Exchange (LINX) also said that it would stop routing for Russian Internet service providers Rostelecom and MegaFon, some of Russia’s largest ISPs. This will erode connectivity of Russia providers to the global Internet, and inadvertently curb the enthusiasm of increased cyberattacks on Ukraine. As they say, all is fair is war. In this case, we’re talking about Internet safety and the means that should be taken to avert the risk coming from the aggressor’s side. 

In the next blog post I will cover a rather interesting topic of ‘protestware’ that pushes anti-war banners and makes life more difficult for Russian and Belarusian computers.

Nobody is truly safe on the Internet in peaceful times, let alone right now!