<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p>Russia’s invasion of Ukraine has not only redrawn national borders; it is reshaping the Internet itself. Since February 2022, roughly 20 percent of Ukraine’s IPv4 address space has migrated into the hands of third parties, including Russian-aligned proxy and anonymity services that lease those addresses from financially stressed Ukrainian ISPs. <a href="https://www.kentik.com/blog/exodus-of-ipv4-from-war-torn-ukraine/" rel="noopener" target="_blank">Kentik research</a> shows entire /24 blocks once routed by Ukrtelecom, LVS, TVCOM and Trinity now surfacing at major U.S. carriers such as Amazon, AT&amp;T and Cogent.</p> <!--more--><p><a href="https://krebsonsecurity.com/2025/06/proxy-services-feast-on-ukraines-ip-address-exodus/" rel="noopener" target="_blank">Investigative reporting from Brian Krebs</a> details how those “orphaned” Ukrainian ranges are being monetized by commercial proxy networks, some of which have been linked to Russian state-sponsored spear-phishing and DDoS campaigns. To curb abuse, AT&amp;T updated its dedicated-Internet terms of service in February 2025, giving customers until 1 September 2025 to originate non-AT&amp;T IP space from their own ASNs<span>&nbsp; </span><span></span>. The <a href="https://www.consilium.europa.eu/en/press/press-releases/2025/05/20/russian-hybrid-threats-eu-lists-further-21-individuals-and-6-entities-and-introduces-sectoral-measures-in-response-to-destabilising-activities-against-the-eu-its-member-states-and-international-partners/" rel="noopener" target="_blank">EU has</a> already <a href="https://www.bleepingcomputer.com/news/security/european-union-sanctions-stark-industries-for-enabling-cyberattacks/" rel="noopener" target="_blank">sanctioned Stark Industries Solutions</a> for weaponizing leased Ukrainian addresses in attacks on European critical infrastructure<span></span>.</p> <p>For organizations subject to U.S. sanctions rules, the compliance stakes are high. OFAC can impose civil penalties on a strict-liability basis: if your network inadvertently communicates with a sanctioned IP, <a href="https://home.treasury.gov/news/press-releases/sb0149" rel="noopener" target="_blank">intent does not matter</a>. Yet IP ownership and geolocation are now fluid, changing far faster than manual allow-lists can keep up.</p> <h3><strong>ThreatSTOP’s Real-Time Answer</strong></h3> <p><strong>OFAC-Managed Targets</strong></p> <p>Our Security, Intelligence and Research team continuously reconciles global BGP route changes, WHOIS transfers and sanctions updates to maintain an authoritative list of IP ranges controlled by restricted entities. The moment a Ukrainian block is advertised from Russian territory—or vice-versa—it is re-classified in our OFAC targets within minutes.</p> <p><strong>Protective DNS</strong></p> <p><i>DNS Defense Cloud</i> and <i>DNS Defense</i> stop sanctioned command-and-control domains, phishing sites, data-exfiltration tunnels and spam before a single packet reaches your endpoints. Because DNS is queried before any TCP or TLS handshake, Protective DNS provides the earliest possible enforcement point, regardless of where the underlying IP address roams.</p> <p><strong>IP Defense</strong></p> <p>When traffic must be blocked at layer 3 or layer 4, IP Defense pushes the same OFAC-aligned intelligence to firewalls, routers, IPS, AWS WAF and more. Dynamic route updates ensure you remain compliant even as adversaries hop between carriers, continents or compromised residential hosts.</p> <p><strong>Why Automation Matters</strong></p> <ul> <li> <p>Manual Geo-IP databases lag fast-moving hijacks and leases.</p> </li> <li> <p>Cloud-only proxies masquerade as residential broadband, evading static filters.</p> </li> <li> <p>Strict-liability enforcement means there is no safe grace period for outdated lists.</p> </li> </ul> <p>With ThreatSTOP, every DNS query and every packet is checked against the freshest possible intelligence, closing the window attackers exploit when IP ownership flips overnight.</p> <h3><strong>Case in Point</strong></h3> <p>When Trinity’s Mariupol network went dark, more than 1,000 of its former IPv4 addresses re-appeared inside AT&amp;T’s backbone and were promptly rented to a proxy service used in <a href="https://krebsonsecurity.com/2025/06/proxy-services-feast-on-ukraines-ip-address-exodus/" rel="noopener" target="_blank">Russian phishing operations</a>. ThreatSTOP flagged the ASN change in real time and added the range to our Russia-controlled list, ensuring customers blocked the traffic even before public attribution emerged.</p> <h3><strong>Stay Compliant Without Slowing Down</strong></h3> <ul> <li> <p><span><strong>Zero infrastructure changes.</strong></span> Deploy Protective DNS via simple resolver settings or host-based agents.</p> </li> <li> <p><span><strong>Consistent policy everywhere.</strong></span> The same OFAC ruleset protects cloud workloads, branch offices and on-premise gear.</p> </li> <li> <p><span><strong>Verifiable reporting.</strong></span> Per-query and per-packet logs prove your controls matched each sanction list version at the time of enforcement.</p> </li> </ul> <p>For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our <a href="/threatstop-platform" rel="noopener" target="_blank">product page</a>. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers! <a href="https://admin.threatstop.com/register?hsLang=en" rel="noopener" target="_blank">Get started with a Demo today!</a></p> <p><strong>Connect with Customers, Disconnect from Risks</strong></p> <h3><strong>MITRE ATT&amp;CK Alignment</strong></h3> <p>&nbsp;</p> <table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: 1px solid #99acc2;"> <thead> <tr> <th> <p><strong>ATT&amp;CK Tactic</strong></p> </th> <th> <p><strong>Technique ID</strong></p> </th> <th> <p><strong>Technique Name</strong></p> </th> <th> <p><strong>ThreatSTOP Mitigation</strong></p> </th> </tr> </thead> <tbody> <tr> <td> <p>Reconnaissance / Resource Development</p> </td> <td> <p>T1583.001</p> </td> <td> <p>Acquire Infrastructure: IP Addresses</p> </td> <td> <p>OFAC-managed targets identify newly registered or transferred ranges tied to adversary control, preventing use for staging.</p> </td> </tr> <tr> <td> <p>Command and Control</p> </td> <td> <p>T1090</p> </td> <td> <p>Proxy</p> </td> <td> <p>Protective DNS blocks domains that brokers use to rent residential proxies; IP Defense blocks the underlying IP ranges.</p> </td> </tr> <tr> <td> <p>Exfiltration</p> </td> <td> <p>T1041</p> </td> <td> <p>Exfiltration Over C2 Channel</p> </td> <td> <p>DNS tunneling and HTTP-based exfiltration domains are denied before data leaves the network.</p> </td> </tr> <tr> <td> <p>Impact</p> </td> <td> <p>T1498</p> </td> <td> <p>Network Denial of Service</p> </td> <td> <p>IP Defense null-routes IPs associated with botnets leveraging leased Ukrainian space for DDoS amplification.</p> </td> </tr> <tr> <td> <p>Initial Access / Credential Access</p> </td> <td> <p>T1566</p> </td> <td> <p>Phishing</p> </td> <td> <p>Malicious domains hosted on repurposed Ukrainian IP blocks are intercepted at the resolver.</p> </td> </tr> </tbody> </table> <p><i>&nbsp;</i></p></span>
