The recent increase in cyberattacks on Ukraine by 10 times – Krebs on Security

With their cities under heavy bombardment by Russian military forces this week, Ukrainian internet users have come under renewed cyber-attacks, with one internet company providing a service there saying it blocked ten times the normal number of phishing and malware attacks targeting Ukrainians.

John Todd He is the Managing Director of Quad9, a free “anycast” DNS platform. DNS stands for Domain Name System, which is like the Internet’s globally distributed phone book that maps the names of human-friendly websites ( to digital Internet addresses ( that are easy for computers to manage. Your computer or mobile device generates DNS lookups every time you send or receive email, or browse a webpage.

With anycast, a single Internet address can apply to many servers, which means that any one of a number of DNS servers can respond to DNS queries, usually those that are geographically closest to the client requesting the response.

Quad9 isolates its users from a range of cyberattacks by blocking DNS requests for popular domain names, that is, those that have been confirmed to host malware, phishing sites, bots, and other threats. The ratio of DNS queries from Ukraine allowed versus blocked by Quad9 is usually fairly constant.

But Todd says that on March 9, Quad9 systems blocked 10 times the normal number of DNS requests from Ukraine, and to a lesser extent Poland.

Todd said Quad9 saw a significant drop in traffic arriving at Kyiv POP [point of presence] During hostilities, possibly due to fiber outages or power outages. Some of this traffic then shifted to Warsaw, which for most networks of Ukraine is the next closest important interconnection site.

Quad9’s view of a rise in malicious traffic targeting Ukrainian users this week. Click to enlarge.

“While total traffic decreased in Kyiv – and increased slightly in Warsaw due to disruption of infrastructure within .ua – the ratio of (good inquiries): (blocked inquiries) increased in both cities,” he continued. The high rate of blocking [Wednesday] Afternoons in Kyiv were about 10x the normal when compared to other cities in Europe (Amsterdam, Frankfurt.) While Ukraine is always slightly higher (20%-ish) than Western Europe, this jump in terms of magnitude is unprecedented. “.

Quad9 declined to specify more data that informed the Y axis in the above graph, but said there are some numbers the company is preparing to share as absolute numbers.

“Looking back three weeks ago on the same day of the week as yesterday, we had 118 million mass events in total, of which 1.4 million were in Ukraine and Poland,” Todd said. “Yesterday on March 9, our entire network experienced 121 million ban events worldwide. Of those 121 million events, 4.6 million were in Ukraine and Poland.”

Bill Woodcock He is the CEO of Packet Clearing House, a San Francisco-based nonprofit organization that is one of several sponsors of Quad9. Woodcock said the sudden rise in banned DNS queries from Ukraine clearly shows an increase in phishing and malware attacks against Ukrainians.

“They are being targeted by a massive amount of phishing, and a lot of malware getting into devices trying to connect to the malicious command and control infrastructure,” Woodcock said.

Both Todd and Woodcock said the smaller rise in banned DNS requests originating from Poland is likely the result of many Ukrainians fleeing their country: Of the two million people who have fled Ukraine since the start of the Russian invasion, more than 1.4 million have. Their way to Poland, according to the latest figures from United nations.

The increase in malicious activities detected by Quad9 is the latest chapter in a series of ongoing cyber attacks against the Ukrainian government and civilian systems since the start of the war in the last week of February.

As Russian tanks and military personnel began crossing the border into Ukraine last month, security experts tracked a series of devastating data “wiper” attacks targeting Ukrainian government agencies and contractor networks. Security firms also attributed to the Russian intelligence services a barrage of distributed denial-of-service (DDoS) attacks against Ukrainian banks just before the invasion.

So far, the large-scale cyberattacks that were so feared and retaliation against Russia have not materialized. But data collected by Quad9 indicates that a significant amount of low-level cyber-attacks targeting Ukrainians continues.

It is not clear to what extent, if any, Russia’s purported cyber prowess may be jeopardized by escalating economic sanctions imposed by private companies and governments alike. Last week, two major Internet majors said they would stop directing traffic to Russia.

earlier today, London Internet Exchange (LINX), one of the largest points of symmetry where networks around the world exchange traffic, He said It will stop directing Russian ISPs Rostelecom And the Megaphone. Rostelecom is the largest Internet service provider in Russia, while MegaFon is the second largest mobile operator in Russia and the third largest Internet service provider.

Doug MadhuriKentik, director of research at Internet infrastructure monitoring company Kentik, said LINX’s actions will further erode Russia’s big providers’ connection to the larger Internet.

“If other major European exchanges follow suit, that could really be a problem for Russian connectivity,” Madhuri said.