Russian Geo-Fencing

10158457088?profile=RESIZE_400xThe Russian military continues to be active in Ukraine; movements that started on 23 February.  Of interest, the cyber conflict is mirroring the military conflict with Russian government websites going dark to some parts of the world after being targeted with a flood of web traffic via a distributed denial-of-service (DDoS) attack attempting to knock them offline.  It is unclear who directed the attack or if it was successful in disrupting the sites.  However, cybersecurity researchers say the Russian government appears to be deploying a defensive technical measure known as geofencing to block access to certain sites it controls, including its military website, from areas outside Russia’s sphere of influence, complete with a comical nod to internet infrastructure.[1] 

Russian troops began invading Ukraine early on the 23rd local time, with media reporting apparent attacks on civilian areas including hospitals and residential zones.[2]  Ukrainian government sites were pushed offline last week in similar attacks in the run up to the Russian invasion of Ukraine.  The US and the UK attributed those attacks to the Russian government.[3] Cybersecurity researchers also said that Ukrainian computer networks were hit with malware designed to destroy data on their systems for the second time this year.  

10158457859?profile=RESIZE_400xNo one appears to have claimed credit for the DDoS attacks, which suggest they were unsuccessful.  “DDoS is the most basic form of cyber attack, it’s not that hard–either Ukrainians or people who support Ukraine could have launched them again,” experts said. Global network watchers noted the DDoS attacks, including Netblocks and Kentik Director of Network Analysis.[4]   However, the targeted Russian government sites—including the primarily military domain, mil.ru—appear offline to some international visitors due to the apparent geofencing that limits traffic from sources outside Russia’s sphere of influence.  “Based on the data we got, traffic to Mil.Ru appears to be administratively blocked from outside of Russia,” researchers told trusted media sources, after attempting to access the website from servers located around the world in response to our research inquiry. 

10158458469?profile=RESIZE_400xThat means the person operating the website running the site configured the servers to not actually show the content of the website to people trying to access it from overseas.  Instead, those attempting to access the website from blocked areas get an HTTP Error 418 response.

Confusion around the outage of some of the Russian government’s sites was also exaggerated by how Russian web servers handled the apparent DDoS attacks, showing a “418 I’m a teapot” error.  Started out as a Google prank in the late 90s, 418 server errors are not part of any official standard, but some web servers choose to serve them anyway.[5]  They are commonly used as a “network administrator inside joke” to block incoming traffic.  The errors are typically used as responses to DDoS attacks and website or API scraping attempts—as a way to let attackers know their actions have been discovered and are being actively blocked.

The joke and the apparent selective inaccessibility of the military site suggests Russia moved defensively to avoid potential embarrassment.  The Russian Embassy did not respond to a request for comment. 

10158458884?profile=RESIZE_400xThe Russian government websites were also not the only ones that also faced 24th DDoS attacks.  Also observed was traffic reflecting apparent attacks targeting major Russian banks Sberbank and Alfabank.

In a press conference on the 24th, the US President said his administration was working with the private sector to be prepared for potential Russian cyberattacks and warned there would be retaliation.  “If Russia pursues cyberattacks against our companies, our critical infrastructure, we are prepared to respond,” the President said.     

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization who has long collected and analyzed cyber indicators as the above links indicate.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

[1] https://therecord.media/russia-appears-to-deploy-digital-defenses-after-ddos-attacks/

[2] https://forbes.ua/inside/russia-declares-war-on-ukraine-and-shells-multiple-cities-putin-calls-it-a-special-military-operation-heres-whats-going-on-24022022-3863

[3] https://therecord.media/white-house-blames-russia-for-latest-digital-attacks-on-ukraine/

[4] https://twitter.com/netblocks/status/1496904885455007749

[5] https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/418

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!