ThreatSTOP Blog

Why Ukraine, Donetsk and Luhansk matter NOW to your cyber defenses

Written by Ofir Ashman | February 25, 2022

Cyberspace has become the "5th domain" of warfare. Often used in conjunction with, or as the primary vector for, psychological and information operations, it is an area in which the Russians have pre-eminent expertise. The start of physical warfare between Russia and Ukraine was preceded by a major uptick in cyberattacks, especially against the Ukraine and associated entities.  As Russia has deployed a multi-vector attack on Ukraine using troops, tanks and airstrikes in more than a dozen cities, their cyberattacks have increased and spread. A Distributed-Denial-of-Service (DDoS) attack from Russia hit the websites of a number of Ukrainian government departments and banks in coordination with the start of kinetic hostilities. At the same time, a destructive "wiper" malware used to destroy data was found on many infected machines inside Ukrainian organizations. This is already the third (and most sophisticated) large-scale cyber attack that Ukraine has suffered this year. As the physical attack has progressed, the cyber-attacks have widened to include neighboring Eastern European and Baltic countries. As territory is claimed, more infrastructure comes under Russian control that may have been Ukranian before, and so not subject to the same inspection, and is now available for Russian Cyber-Operations.

Last week, we alerted organizations about the risk of leaving their network vulnerable to traffic coming from Crimea, an autonomous republic located in southern Ukraine that was invaded and annexed by Russia in 2014. This week, Russia also formally recognized Donetsk and Luhansk, the frontline of the conflict between the Ukrainians and pro-Russian separatists, as independent of Ukraine. These two regions broke away from Ukraine in a move led by pro-Russian separatists, and each has its own self-proclaimed president with strong links to Russia - Denis Pushilin in Donetsk, and Leonid Pasechnik in Luhansk.

At ThreatSTOP, we share the worldwide notion that Russia controls the internet infrastructure (aka the IPs) in this region, and can easily use them for cyber attacks at will. In Putin's Russia, no person or organization is free from being forced to collaborate with whatever machinations he and his oligarchs are up to. While many organizations are already blocking traffic to and from Russian IP addresses, it is highly unlikely that a standard security solution or Russian geo-blocking policy will guarantee protection for its users in the face of attacks from these regions.

ThreatSTOP has added Donetsk, Luhansk and Crimea to our ITAR geo-bundle protection. This means that ThreatSTOP customers that are already using the ITAR bundle are automatically protected from attacks from these Russian-tied regions. Additionally, we've extended these protections to our AWS WAF Managed Rules so AWS customers can prevent inbound connections from Crimea, Donetsk, and Luhansk.

In addition, Ukraine is available as a standalone country target to users of our service. Given the rapidly changing situation on the ground, it may be prudent, especially if there are no business reasons to interact with Ukrainian infrastructure, to block, or at least filter to deeper inspection, traffic to and from the Ukraine.

As events continues to evolve, ThreatSTOP will monitor the situation and modify protections to keep customers secure and capable of meeting compliance requirements.

If you're not a ThreatSTOP customer and want to see how ThreatSTOP can instantly eliminate attacks from your network, schedule a demo today:

 

Want to see ThreatSTOP in action in your network right now? Here's a link to start a free trial: