March 11, 2022

As their cities suffered more intense bombardment by Russian military forces this week, Ukrainian Internet users came under renewed cyberattacks, with one Internet company providing service there saying they blocked ten times the normal number of phishing and malware attacks targeting Ukrainians.

John Todd is general manager of Quad9, a free “anycast” DNS platform. DNS stands for Domain Name System, which is like a globally distributed phone book for the Internet that maps human-friendly website names (example.com) to numeric Internet addresses (8.8.4.4.) that are easier for computers to manage. Your computer or mobile device generates DNS lookups each time you send or receive an email, or browse to a webpage.

With anycast, one Internet address can apply to many servers, meaning that any one of a number of DNS servers can respond to DNS queries, and usually the one that is geographically closest to the customer making the request will provide the response.

Quad9 insulates its users from a range of cyberattacks by blocking DNS requests for known-bad domain names, i.e., those confirmed to be hosting malicious software, phishing websites, stalkerware and other threats. And normally, the ratio of DNS queries coming from Ukraine that are allowed versus blocked by Quad9 is fairly constant.

But Todd says that on March 9, Quad9’s systems blocked 10 times the normal number of DNS requests coming from Ukraine, and to a lesser extent Poland.

Todd said Quad9 saw a significant drop in traffic reaching its Kyiv POP [point of presence] during the hostilities, presumably due to fiber cuts or power outages. Some of that traffic then shifted to Warsaw, which for much of Ukraine’s networking is the next closest significant interconnect site.

Quad9’s view of a spike in malicious traffic targeting Ukrainian users this week. Click to enlarge.

“While our overall traffic dropped in Kyiv — and slightly increased in Warsaw due to infrastructure outages inside of .ua — the ratio of (good queries):(blocked queries) has spiked in both cities,” he continued. “The spike in that blocking ratio [Wednesday] afternoon in Kyiv was around 10x the normal level when comparing against other cities in Europe (Amsterdam, Frankfurt.) While Ukraine always is slightly higher (20%-ish) than Western Europe, this order-of-magnitude jump is unprecedented.”

Quad9 declined to further quantify the data that informed the Y axis in the chart above, but said there are some numbers the company is prepared to share as absolutes.

“Looking three weeks ago on the same day of the week as yesterday, we had 118 million total block events, and of that 1.4 million were in Ukraine and Poland,” Todd said. “Our entire network saw yesterday on March 9th 121 million blocking events, worldwide. Of those 121 million events, 4.6 million were in Ukraine and Poland.”

Bill Woodcock is executive director at Packet Clearing House, a nonprofit based in San Francisco that is one of several sponsors of Quad9. Woodcock said the spike in blocked DNS queries coming out of Ukraine clearly shows an increase in phishing and malware attacks against Ukrainians.

“They’re being targeted by a huge amount of phishing, and a lot of malware that is getting onto machines is trying to contact malicious command-and-control infrastructure,” Woodcock said.

Both Todd and Woodcock said the smaller spike in blocked DNS requests originating from Poland is likely the result of so many Ukrainians fleeing their country: Of the two million people who have fled Ukraine since the beginning of the Russian invasion, more than 1.4 million have made their way to Poland, according to the latest figures from the United Nations.

The increase in malicious activity detected by Quad9 is the latest chapter in an ongoing series of cyberattacks against Ukrainian government and civilian systems since the outset of the war in the last week of February.

As Russian military tanks and personnel began crossing the border into Ukraine last month, security experts tracked a series of destructive data “wiper” attacks aimed at Ukrainian government agencies and contractor networks. Security firms also attributed to Russia’s intelligence services a volley of distributed denial-of-service (DDoS) attacks against Ukrainian banks just prior to the invasion.

Thus far, the much-feared large scale cyberattacks and retaliation from Russia haven’t materialized (for a counterpoint here, see this piece from The Guardian). But the data collected by Quad9 suggest that a great deal of low-level cyberattacks targeting Ukrainians remain ongoing.

It is unclear to what extent — if any — Russia’s vaunted cyber prowess may be stymied by mounting economic sanctions enacted by both private companies and governments. In the past week, two major backbone Internet providers said they would stop routing traffic for Russia.

Earlier today, the London Internet Exchange (LINX), one of the largest peering points where networks around the world exchange traffic, said it would stop routing for Russian Internet service providers Rostelecom and MegaFon. Rostelecom is Russia’s largest ISP, while MegaFon is Russia’s second-largest mobile phone operator and third largest ISP.

Doug Madory, director of research for Internet infrastructure monitoring firm Kentik, said LINX’s actions will further erode the connectivity of these large Russia providers to the larger Internet.

“If the other major European exchanges followed suit, it could be really problematic for Russian connectivity,” Madory said.


41 thoughts on “Report: Recent 10x Increase in Cyberattacks on Ukraine

  1. VF

    “If the other major European exchanges followed suit, it could be really problematic for Russian connectivity,”

  2. Doug

    One has to ask, does the collective good coming out of Russia outweigh the collective bad?

  3. ReadandShare

    Not an expert of any kind but just an individual Win Home user. All these years/decades of dire warnings about the vulnerabilities of our internet system… knock out punches to Ukraine’s systems seem not to have happened – despite Russia’s best efforts to disrupt?

    I think I’ve finally learned to read media warnings with healthy grains of salt. I’ll take basic precautions for sure, like keeping OS and apps updated, signing in as ‘standard’ user and not admin, and refraining from clicking on links willy nilly. Beyond that, I’ll just trust the sky isn’t going to fall suddenly.

      1. ReadandShare

        The same US that can’t seem to help itself – if news media are to be believed?

    1. ITworker

      You have no concept of what you’re talking about

    2. JamminJ

      If you’re an individual computer user, yeah, you don’t have to worry about being the direct target of nation-state actors. The sky isn’t going to fall from within your house.
      Your home computer isn’t the target. Maybe your bank’s systems, investment funds, or the stock market itself.

      Perhaps the issue is that you’re consuming media that isn’t meant for Windows Home users like yourself. Enterprise users, people who use business IT systems, handle sensitive data, etc., would be the real targets.

  4. Pontiacy

    Solution is to cut off the internet total isolation

    1. Lance Rock

      My professor gives a demo to a military officer, to just plug this pan drive into a laptop or pc and count for 5 seconds and remove it, and pen drive gets all the files from pc in just 5 seconds.
      n sir says how do you prevent these types of attacks. what is the strategy?
      n officer says we just unplug it…. it is horrifying or u can say its a legend 🙂

      1. JamminJ

        No joke, the military for many many years after USB was standard, would disable the USB ports in the BIOS, disconnected header wires, or literal glue. This was for forward deployed computers, but not really to protect from malware, but to prevent “data loss”. To move files from a PC, you had to burn a CD. Of course, notorious whistleblowers and spies still did this. But blocking USB did significantly cut down on accidental spillage.

        The point is, the military does not wait for civilian software companies to provide a fix. Often they will just make the tough decision to do without.

  5. SamD

    Russia has been a bad actor in the past and now with no constraints will be even worse. Cut them off at the knees.

    1. Insane clown posse

      Let me guess America Should be the one to do it after Years of agitation in the region. Imagine if someone put missiles in Canada or Mexico what would happen

        1. Kel

          How far back do you want to go? Russia sent nuclear missiles to Cuba in 1962 to counter the nuclear missiles the US had secretly installed in Turkey and Italy. The crisis was resolved when Khrushchev publicly agreed to remove the USSR missiles and Kennedy privately agreed to remove the US missiles. Most current resources on the topic mention this.

          1. JamminJ

            Yes, thanks. I know the history.
            I was really just asking mr. ICP if he was comparing this current conflict with the Cuban Missile Crisis.
            IMO, this isn’t the same. Putting nukes on a border country is NOT what NATO/Ukraine has done to warrant Russian aggression here. Merely wanting to join NATO is not the same as actually placing nuclear missiles within short range.

            1. Hm no

              You referenced history, they debunked your microposition with actual details.
              NATO is a nuclear armed power designed to contain Russia. It’s similar.
              You don’t need to agree.

              1. JamminJ

                I agree its similar, I disagree its the same.

              2. JamminJ

                I agree its similar, I disagree its the same.

                Russia cannot justify their aggressive actions by using such marginal similarities though.

      1. F.S.

        Even if the US moved its nucs back to the US in compliance with Russia’s demand, does any knowledgeable person really think Russia would move its nucs an equal distance away from the NATO countries?

    2. jdmurray

      This is a slippery slope. Who decides who is a “bad actor” and should be severed from the Internet? It seems Russia, China, and the USA have already been at the top of the Internet’s “Miscreants and Shenanigans list” for many years. Are the deciders the “NATO of the Internet?”

      1. JamminJ

        It’s more about a fundamental ignorance about what “the” Internet is.
        It’s a collection of interconnected networks.
        Russia still has an Internet even if their networks can’t talk to the rest.
        Then there is the World Wide Web, which is a different concept.

        “The Internet” is made up of nodes in the real world. If the US has the lion’s share of nodes that people want to use, that’s a big reason why the US appears to control so much. Russia has their version of Google, called Yandex. But if it is lacking by comparison, that’s on them.

        1. Grip investment

          Do you actually “have to” explain every single basic concept like you can’t help it?

          1. JamminJ

            Yes, it has to be explained.
            When it becomes apparent that many people don’t understand this basic concept.
            I’m glad you get it… but if ignorant comments are allowed to out-pace knowledgeable ones, then this is how readers get dumber over time.

            1. Grip investment

              It’s obvious what he meant had nothing to do with the semantics you offer.

            2. Reader

              Miscomprehension of what others ask/say is not a correction.

              1. ITWorker

                “severed from the Internet” and a bunch of other comments in the last few days on this and other posts do seem to suggest that people are not understanding. Lots of people still think the internet is something that can be turn off and on like a switch.

                Yes, thank you JamminJ for clarifying.

                1. Reader

                  “Lots of people still think the internet is something that can be turn off and on like a switch.”

                  Nobody here said that.

                  1. ITworker

                    Jdmurray: “should be severed from the Internet”
                    SamD: “cut them off”

                    1. Reader

                      Nobody said “flip a switch” or even suggested “how” to “cut” them / disconnect them / “sever” them from the ww multi-pole internet. It would be a massive collaborative effort to demarcate and disallow pariah states from operating as normal. A completely rudimentary explanation of the internet isn’t required to understand what they’re asking, “some people” just like to pretend everyone else needs to be talked down to and their questions ideas entirely side-stepped as above so that they can (again…) be a pseudo-pedant on some unrelated issue and mansplain the most fundamental concepts as if that’s what was even being talked about. It wasn’t.

                      The actual quesion posed is as yet unanswered.

  6. elong panther musk

    don’t worry about cyber nuclear war.. it’s only 1 and zeros.

    don’t worry about real ww3.. this is a just a simulation.. right?! shaggy?

    oohh bother.. time to eat more honey.

  7. mulan

    so never download hosting files of rapidgator and rutracker, because probably your PC if not take their cautions spread of malware/worms.

    1. Dude

      Rg is privatly owned and the support Ukraine. Check banners on their pages.

  8. Alex

    Russia wants to free itself from Putin’s power. you can not close access to information and the Internet. I am from Russia

    1. Mark

      Putin’s power is that HE closed your access to information. Now you can see only what he allows you to see.
      Putin has been in power for a while now, and you’ve had the Internet that entire time. If you want to free yourself from him, you can’t rely on the Internet which he controls.

Comments are closed.