Ukraine internet battered but not out

While the physical war in Ukraine is already a humanitarian disaster, the virtual war over the internet and the tech companies that run it and use it will likely get a lot worse.

That’s because for the most part the actual internet network has withstood the onslaught since Russia invaded Ukraine. There have been outages and extreme slowness in parts of the country and malware or other threats have proliferated but in general—to the surprise of many—the network has been pretty resiliant considering the extreme circumstances, experts say.

That’s not to say there haven’t been serious problems.  The internet research team at ThousandEyes said it detected significant levels of internet traffic disruption and reduced availability of key Ukrainian banking, defense and other government websites.  “The patterns of disruption are consistent with network behavior we have observed during other distributed denial of service (DDoS) attacks, as well as indicative of potential countermeasures that may have been taken by service operators to mitigate impacts to their service,” ThousandEyes stated March 4.

DDoS mitigation, when employed via cloud services providers, has largely been effective, the group said.

“The websites and services that have deployed large-scale cloud-based security providers (such as Imperva, Cloudflare, etc.), either for a period of time or switching recently during the last week, have been able to more effectively maintain uptime and access,” ThousandEyes stated. “These DDoS mitigation providers typically redirect traffic through their own infrastructure, which can manage higher traffic volumes as well as use techniques to scrub malicious traffic and send legitimate traffic to the actual destinations.”

ThousandEyes said it saw no evidence of large-scale DNS or BGP attacks as speculated. “DNS and BGP, while not seen as attack vectors, remain points of potential vulnerability and should be closely monitored for impact to sites inside Ukraine and even beyond,” the group stated.

Ukrainian organizations appear to be taking defensive measures by blocking selective traffic originating in Russia and in some instances China, ThousandEyes stated.

Others have reported similar problems and resolutions.  For example, network data confirm a series of significant disruptions to internet service in Ukraine beginning Feb. 24, the day Russia invaded. Disruptions have subsequently been tracked across much of Ukraine including the capital city Kyiv as Russia’s military operation progresses, according to London-based global internet monitor NetBlocks. Outages over the course of the invasion have also been reported too by the Internet Outage Detection and Analysis (IODA) project at Georgia Tech.

In addition, the country’s core internet backbone provider GigaTrans, reported big outages on Feb. 25 and other outages and recovery since then.

On March 3, Netblocks tweeted:

#Mariupol, Ukraine under siege: “We are being completely cut off” report citizens with no electricity, no water and faltering telecoms. Real-time network data show a collapse in connectivity.”

Netblocks also reported Ukraine’s second-largest city, Kharkiv, “continues to take the brunt of network and telecoms disruptions, leaving many users cut off amid scenes of destruction as Russia targets the region.”

“Ukraine has a diverse internet infrastructure with few choke points—which means it’s difficult to switch off the country, and there’s no centralized kill switch,” Alp Toker, founder and director of NetBlocks told the Guardian. “If an invading nation desired to switch off Ukraine’s internet, this would really be a matter of physically entering internet exchange points and data centers and taking over that infrastructure. And it certainly can’t be done remotely by severing a connection with, say, Russia.”

But that is exactly the kind of concern many experts are worried about as Russian military forces destroy infrastructure or take other major cities. They may decide controlling the internet in a more tightly might be the way to go, experts say.

That was the sentiment echoed by US senator Mark Warner, D-Va who is also chair of the Senate Intelligence Committee. “Do I expect Russia to up its game on cyber? Absolutely, ” he said in a Washington Post interview.

In addition, he said he thinks Russian President Vladimir Putin miscalculated Ukrainian technological capabilities. “I think he felt like he could use his, in a sense, B team to try to take down some of the Ukrainian networks, saving his A team and the tools‑‑because once you put a cyber tool out there and it’s discovered, it’s hard to be reused‑‑he didn’t have to move to that A team within Ukraine,” Warner told the Post.

“He’s been proven wrong, and again, one of the most remarkable things is that the internet is still up. And these imagines that Ukrainians are taking of the Russian atrocious actions is being released to the world. So should we see, expect more? Absolutely,” Warner stated.

In the face of that threat, Mykhailo Fedorov, Vice Prime Minister of Ukraine and Minister of Digital Transformation, has been drumming up high-tech internet allies.

This week he asked the Internet Corporation for Assigned Names and Numbers (ICANN) to shut down Russian internet domain names, a request that was denied by the organization.

“In our role as the technical coordinator of unique identifiers for the Internet, we take actions to ensure that the workings of the Internet are not politicized, and we have no sanction-levying authority,” ICANN stated.

On Feb. 26 Fedorov called for broad help fighting Russian cyber attacks. “We are creating an IT army. We need digital talents. All operational tasks will be given here: https://t.me/itarmyofurraine. There will be tasks for everyone. We continue to fight on the cyber front. The first task is on the channel for cyber specialists,” he Tweeted.

It was in response to a request from Fedorov that SpaceX CEO Elon Musk turned on the company’s Starlink satellite service in Ukraine.

So far it is unclear how many Starlink terminals—which require a Wi-Fi router, relative proximity to a ground station, and a small dish pointed at a clear sky—could be made available to the general Ukrainian populace overall, but such equipment could find its way to political or military leaders who might have an immediate strategic need for communications.

There are challenges of course. March 2, Fedorov, tweeted: “With Russian attacks on our infra, we need generators to keep Starlinks & life-saving services online—ideas?”

Musk replied: “Updating software to reduce peak power consumption, so Starlink can be powered from car cigarette lighter. Mobile roaming enabled, so phased array antenna can maintain signal while on moving vehicle.”

More recently Fedorov called on Apple to stop selling goods to Russia saying “We need your support—in 2022, modern technology is perhaps the best answer to the tanks, multiple rocket launchers, and missiles.” Apple did stop sales in Russia this week. Other tech companies such as SAP, Oracle, Google and Microsoft have scaled back or stopped operations in Russia in response to the war.

“As the conflict has continue we have seen actors of varying skill levels deploying a wide range of threats inside Ukraine that hint at potential future implications,” Cisco Talos wrote in a blog about security issues in Ukraine.

“For example, we have observed malware samples designed to avoid executing against Ukrainian targets, suggesting that they may be intended for deployment elsewhere in the region or globally. This underscores the unpredictable nature of the current threat environment and the difficulty in predicting what entities or geographic areas may be targeted next,” Talos researchers stated.