Platform Geopolitics in 2022: Russian Invasion of Ukraine – an incomplete overview


In preparation for a data sprint with the University of Amsterdam, Michael Dieter has been keeping track of changes to platform policies. His document concerning Platform Geopolitics was initially published in the Tactical Media Room, a new signal group that was initiated by de Waag, Institute of Network Cultures and Freedom Internet to build a “network to support independent media in Ukraine, Russia and Belarus.”

Michael’s overview effort provides a captivating perspective on recent developments for all who are interested in having an informed debate about the current developments in internet governance.



MARCH 31th

  • Google publishes a blog about the actor Coldriver operating from Russia. This actor is said to have made phishing attempts at, among other things, a NATO department. Google has no evidence that these attempts have been successful. This group has been active since 2015 and in the past has attacked various targets such as ministries, NGOs and journalists.

MARCH 30th

  • Internet Society Pulse observed significant increases in the rates of anomalous results in Russian Web Connectivity tests of the Open Observatory of Network Interference (OONI) (a global community measuring internet censorship around the world), compared to the week prior to the invasion. Main take-aways:
    • Nearly all categories of web content saw at least some increase in failures to load, including the category of “Control content” (websites unlikely to attract the attention of any censor), suggesting an increase in the background of network congestion.
    • some categories were impaired much more significantly than the average, including social networking (increase in anomalous tests from 4% to 26%), media sharing (from 8% to 20%), and foreign news media overall (from 8% to 20%). 
    • These measurements are consistent with Russia’s imposition of Internet content blocks to restrict the domestic availability of information about the Ukrainian war

MARCH 29th

  • A service that continuously monitors changes in the routing table across the World, notified its followers of some suspicious activity involving a network that is held by Twitter.
  • A major DDoS attack on the Ukrainian internet service provider Ukrtelecom ensures that services for customers of this provider are temporarily unavailable.

MARCH 28th

MARCH 26th

  • Max Stucchi (Regional Technical Advisor – Europe, Internet Society) and Robin Wilton (Director Internet Trust, Internet Society) checked some new data available in Cloudflare Radar, which provides per-Autonomous System Number (ASN) statistics. Main take-aways:

MARCH 25th

  • Hanna Kreitem (Technical Expert, Middle East, Internet Society) and Max Stucchi (Regional Technical Advisor – Europe, Internet Society) started to look at the OONI Web Connectivity tests measurements, prior to the beginning of the conflict, from a different angle, examining the number of anomalies recorded. Main take-aways:
    • They do see a slight increase in the number of anomalies reported, and a large increase in the number of tests run specifically on the 13th of March. This is the day before the Russian government announced that Instagram was going to be blocked.
    • Increased Anomalies Expected.
  • Anonymous publishes leak of the Central Bank of the Russian Federation.

MARCH 24th

MARCH 23th

  • Google modifies its “advertiser-friendly content guidelines” and states: “Due to the war in Ukraine, content that exploits, dismisses, or condones the war is ineligible for monetization until further notice. This update is meant to clarify, and in some cases expand, our guidance as it relates to this war.”
    • the new policy affects any website, app or YouTube channel.
  • Within a few hours after Google modified its guidelines the Russian internet regulator, Roskomnadzor, announced its Google News block and states: “The mentioned U.S. Internet news resource provided access to numerous publications and materials containing unreliable, publicly significant information about the course of the special military operation in Ukraine.”
  • Hordes of Ukrainian coders are splitting their time between doing their day jobs and fighting a cyber war with Russia. Over 311,000 people have joined a group called “IT Army of Ukraine” on the social media platform Telegram.
  • Cert-UA reports a new wiper malware called Double Zero. This malware is distributed via .zip files.

MARCH 22nd

  • RIPE NCC organizes Cooperation Working Group Remote Session for an “Open Discussion on Internet Sanctions and Connectivity” with working group co-Chairs: Achilleas Kemos, Johan Helsingius and Desiree Miloshevicto.
  • Russia opened a criminal case against journalist Alexander Nevzorov under its new law criminalising the publication of “false” information on the war in Ukraine.
  • RIPE NCC publishes its analysis, dubbed “How Is Russia Connected To The Wider Internet?”, on the connectivity of the Russian Internet to the wider Internet and how this evolved around the Russian invasion of Ukraine and the connectivity effects due to sanctions. Main take-aways:
    • The Internet currently consists of over 70,000 networks. 
    • At the network level, the Russian Internet is very interconnected and resilient, and RIPE NCC doesn’t see sanctions having much of an effect at that level.
    • A comparison of pre- and post- invasion latency for a number of Russian networks indicates that some changes are detected that might be due to an increase in congestion (as seen at the beginning of the COVID pandemic).
    • The larger picture is that not much has changed since the start of the Russian invasion of Ukraine.
  • US President Joe Biden is warning companies in his country of potential Russian cyberattacks, including in response to Western sanctions against Russia.
  • Ukraine CERT (CERT-UA) has released new details on a Chinese threat actor named Scarab targeting Ukraine. Main take-aways:
    • SentinelLabs confirms it is associated with the suspected Chinese threat actor known as Scarab. The malicious activity represents one of the first public examples of a Chinese threat actor targeting Ukraine since the invasion began.
    • Scarab has conducted a number of campaigns over the years, making use of a custom backdoor originally known as Scieron, which may be the predecessor to HeaderTip.
    • While technical specifics vary between campaigns, the actor generally makes use of phishing emails containing lure documents relevant to the target, ultimately leading to the deployment of HeaderTip.

MARCH 21nd

MARCH 20th

MARCH 19th

MARCH 18th

  • RIPE NCC’s Chief Legal Officer, Athina Fragkouli, confirms RIPE NCC’s full compliance with the latest EU sanctions in their post “EU Sanctions and Our Russian Membership“. Main take-aways:
    • EU sanctions on Russia have raised questions about RIPE NCC’s compliance with the new sanctions.
    • EU sanctions also entail financial restrictions and consist of:
      • (a) freezing the funds or economic resources of sanctioned entities and individuals
      • (b) not making funds or economic resources available to these entities and individuals
    • The registration of Internet number resources is considered to be an economic resource by the Dutch Ministry of Foreign Affairs (MFA) .
    • The MFA confirmed there was no need to deregister the Internet number resources held by sanctioned parties.
    • Other RIPE NCC services, such as the operation of K-root, are not considered to be economic resources.
    • EU sanctions do not prohibit RIPE NCC from receiving payments from sanctioned parties.
    • The new sanctions do not prohibit RIPE NCC services from being provided in Russia.
    • RIPE NCC postpones invoicing Russian sanctioned members due to banking restrictions.
  • Russian (dis)information campaigns on Twitter seem not targeted at the US or Europe, but at five major emerging economies: Brazil, Russia, India, China, and South Africa and also in general Africa and Asia. According to a comtemporary twitter analysis by Research Director of the Centre for the Analysis of Social Media, Carl Miller.
  • PayPal expands services for Ukrainians by allowing peer-to-peer PayPal or Xoom payments without normal fees, along with the ability to transfer money to Mastercard and Visa cards, among other features.
  • Natalie Campbell and Carl Gahnberg of Internet Society publish the Internet Impact Brief: “How Refusing Russian Networks Will Impact the Internet” and a Quick Analysis – “The Impact of Efforts to Disconnect Russia from the Internet“. Main take-aways:
    • It is important to remember that the Internet is an incredible force for good. The pandemic has shown its potential to facilitate global efforts to find new ways of living, working and learning, and solving some of our toughest problems yet.
    • Many civilians under oppressive regimes and victims of conflict rely on access to the global Internet for reliable information, and as a lifeline to keep themselves safe from harm.
    • Restricting networks from the global Internet causes significant harm to key elements the Internet needs to exist and thrive.
    • The impact of the politically motivated actions to prevent people from accessing the Internet might not be reversed as there is a significant risk that politically motivated actions to disconnect users from the global Internet set a precedent and trend that play into the hands of regimes seeking to censor, block and control Internet access.
    • Companies that own and operate parts of the Internet’s infrastructure play an important role in the Internet’s ecosystem.
  • Security Affairs reports a destructive Node-IRP package (malware attack) targeting organizations in Russia and Belarus.

MARCH 17th

MARCH 16th

MARCH 15th

  • Tracking Exposed special report TikTok content restriction in Russia published. Key findings include:
    • “On March 7, TikTok made all the content posted by non-Russian channels unavailable to Russian users. This unannounced restriction removes an estimated 95% of the content previously available to Russian TikTok users;
    • Content restriction is happening at the application layer rather than the transport layer, which requires the direct involvement of TikTok. It is the first time a global social media platform has restricted access to content at this scale;
    • A network of coordinated accounts is using a loophole to post new content promoting Russian pro-war propaganda in Russia, despite the current ban on new content uploads.”
  • The Computer Emergency Response Team of Ukraine (CERT-UA) reports a phishing campaign in which massive e-mails are sent on behalf of the Ukrainian government. Cobalt Strike, Grimplant and GraphSteel are used for the attacks.

MARCH 14th

MARCH 13th

  • Internet Disruption Following Cyberattack on Vinasterisk Network. Major internet disruption registered on the Vinasterisk network which serves Vinnytsia Oblast, western Ukraine. The operator reported a massive cyberattack with elements of sabotage.

MARCH 11th

  • Statement by Kat Townsend, Web Foundation Interim Director of Policy: “The open internet in Russia must be protected. Here’s why.
  • Meta alters policy on hate speech and allows calls for violence against Russian soldiers and leaders on Facebook in Armenia, Azerbaijan, Estonia, Georgia, Hungary, Latvia, Lithuania, Poland, Romania, Russia, Slovakia and Ukraine;
  • Instagram access to be blocked in Russia as general prosecutor’s office categorizes Meta as an “extremist organisation” following relaxed hate speech policies;
  • Google announces the removal of Russian state-funded media channels globally on YouTube, expanding ban from just Europe; “Our Community Guidelines prohibit content denying, minimizing or trivializing well-documented violent events”;
  • Twitter removes Russian Embassy’s tweet accusing pregnant bombing victim of being a crisis actor;
  • Vice reports that Russian TikTok influencers are being paid to spread Kremlin propaganda;
    • “Numerous campaigns have been coordinated in a secret Telegram channel that directs these influencers on what to say, where to capture videos, what hashtags to use, and when exactly to post the video”;
  • Emillie de Keulenaar on Twitter: “does the moderation of Russian content on Western platforms (FB, TW) + Russia’s own “de-platforming” of Western social media suggest that Russian content is increasingly demarcated within Russian platforms?
  • A group of academics, engineers, politicians, civil society members and entrepreneurs sign a Multistakeholder Imposition of Internet Sanctions. The group states that the invasion of Ukraine poses a new challenge for multistakeholder Internet infrastructure governance. In their statement,  they discuss possible sanctions and their ramifications, layout principles that they believe should guide Internet sanctions, and propose a multistakeholder governance mechanism to facilitate decision-making and implementation.
  • Anonymous has leaked 20 terabytes of data after a digital attack on the German branch of Russia’s Rosneft. The German intelligence service BSI has warned vital sectors in response.

MARCH 10th




  • Instagram announces it will downrank posts from Russian state-affiliated media. Along with a number of additional measures:
    • Pop ups: users who go to share stories originating with any of these accounts will now see a pop-up message cautioning them against spreading “Russia state-controlled media”… users who share stories with link stickers pointing to domains associated with Russian state media will get the same treatment.”
    • Removal from algorithmic recommendations: “Content from Russian state-linked accounts will also no longer appear in Instagram’s algorithmically populated discovery areas, like Reels and the discovery tab, and Instagram says that it also won’t show up as readily in search either.”
    • Hidden contact lists: “Instagram is also adding a new privacy measure for some users based in Ukraine and Russia. Now, private accounts based in those countries will have their following and follower lists private and their mutual friend lists hidden, adding a layer of protection that obscures real-life social connections.”
  • Amazon announces AWS and delivery restrictions to Russia and Belarus:
    • Shipment of retail products suspended to customers based in Russia and Belarus;
    • No longer accept new Russia and Belarus-based AWS customers and Amazon third-party sellers.
    • Access to Prime Video suspended for customers based in Russia;
    • No longer take orders to the videogame New World;
  • Ubisoft stops all sales in Russia;
  • Report of websites blocked in Russia by
    • “We analyzed over 5,000 entries to Russia’s central registry of blocked websites and found over 200 domains relating to the Ukraine invasion have been banned since Feb 24”;
    • Notable bans:, Facebook, Twitter, BBC News, Deutsche Welle, Ukrayinska Pravda,, Interfax-Ukraine, Radio Free Liberty sites and Voice of America;
    • News sites: “over 120 domains now blocked, mainly Ukrainian news services but growing numbers of independent Russian and foreign services with local language sites”;
    • Financial sites: “over 40 foreign exchange and cryptocurrency platforms blocked since the run on the rouble”;
    • Full data by Simon Migliano on Websites Blocked in Russia Since Ukraine Invasion.
  • Report on Russian web censorship. The website blocks in Russia are analysed by the Open Observatory of Network Interference (OONI), a non-profit free software project that aims to empower decentralized efforts in documenting internet censorship around the world. In general censorship in Russia is generally implemented in a decentralized way, as blocks are not observed on all networks, while ISPs adopt a variety of different censorship techniques. Other key findings (amongst others) are:
    • Media censorship. Russia recently started blocking access to independent Russian news media websites (such as Dozhd and New Times) and foreign news media websites (such as BBC, Deutsche Welle, Russian version of Voice of America, and Russian service of Radio Liberty);
    • Blocking of a website about captured and killed Russian soldiers. Russia blocked access to, which was created by representatives of the Ministry of Internal Affairs of Ukraine to share information about captured and killed Russian soldiers in Ukraine;
    • Centralized throttling of Twitter. OONI data suggests that access to was throttled in Russia between 26th February 2022 to 4th March 2022. As the throttling of seems to have stopped across all ISPs in Russia at the same time (~08:00 on 4th March 2022 UTC), it appears to have been centralized. Moreover, interference to appears to have changed from throttling to blocking (through the injection of a RST packet) on 4th March 2022;
    • Blocking of Facebook and Twitter. OONI data shows that access to and was blocked in Russia by 4th March 2022 (primarily through the injection of RST packets);
    • Decentralized censorship. Every Internet Service Provider (ISP) in Russia is responsible for implementing government-mandated blocks independently. As a result, they observe variance in how internet censorship is implemented across Russia, as blocks are not implemented on all networks in the country, and different ISPs adopt different censorship techniques. Some ISPs implement blocks through the use of multiple techniques at the same time, making circumvention harder.
  • ICANN Enacts Relief for Registrants in Ukraine and Surrounding Region. Registrants risked losing their domain names because they were unable to renew their domain names in a timely manner. The ICANN relief meant that registrars got the flexibility to extend the domain name registration renewal period for domain name holders in affected areas.
  • Hacking groups such as Anonymous and the Cyber Partisans have claimed responsibility for cyberattacks on Russia’s banks, state broadcaster RT, and a Belarusian rail network reportedly used to move troops from Russia to Ukraine. Expert fear that hacking attacks and cyber warfare could lead Russia to cut itself off from the internet.
  • Russian Internet Governance Forum (RIGF 2022) has been postponed.


  • TikTok restricts new content from Russian users following new disinformation laws being passed in Russia;
  • Netflix suspends services in Russia “given the circumstances on the ground”;
  • Payments to Russian Twitch creators suspended;
    • Excerpts from a Twitch email sent out: “payouts to the financial institution associated with your Twitch account have been blocked as a result of sanctions… Twitch complies with economic sanctions imposed by the United States and other governments, and is complying with those imposed in response to the situation in Ukraine. These sanctions may limit or impact your access to payouts, ability to monetize your stream, and/or financially support other creators.”
  • Nexta tweets that Russia will begin ‘disconnecting’ from the global internet: “no later than March 11, all servers and domains must be transferred to the #Russian zone. In addition, detailed data on the network infrastructure of the sites is being collected.”





  • Netflix pauses all acquisitions and projects from Russia.
  • Statements concerning EURALO Communique on Ukraine by Sebastien Bachollet (Chair EURALO Chair and Maureen Hilyard (ALAC Chair), ICANN’s Advisory Committees.
  • Vice Prime Minister and Minister of Digital Transformation of Ukraine, Mykhailo Fedorov, has requested Xbox and Sony – via twitter – to block Russian and Belarusian accounts and prevent gamers and teams from participating in or hosting esports events.
  • Official response to Ukraine’s request to ICANN concerning internet sanctions on Russia by Göran Marby, President & CEO | ICANN.
  • Spotify announces a number of measures:
    • RT and Sputnik removed from platform;
    • Moscow office closed, although platform is still available to Russian users;
    • Localized ‘trusted news’ sources feature added.
  • As part of the EU sanctions against Russia following the invasion of Ukraine the EU officially boots Russia’s RT, Sputnik outlets. Main aspects are:
    • The sanctions against the news groups were published in the EU’s Official Journal, effectively providing legal grounds to implement the Commission and EU governments’ decision to take both Russian state-run organizations off the air and offline within the bloc.
    • The EU’s exceptional move is far-reaching and covers any means of transmission or distribution, such as cable, satellite, Internet Protocol television, internet service providers, video-sharing platforms and applications carrying content from RT and Sputnik.
    • Licenses, authorizations and distribution agreements will also be suspended.
    • The sanctions target Sputnik as well as five legal entities of RT, formerly known as Russia Today: RT English, RT UK, RT DE for German-language reports, RT France and RT en Español for Spanish-language reports.
  • Apple CEO Tim Cook sent out an email to all 80.000 Apple employees addressing the Russian invasion of Ukraine and that Apple will be matching donations they make to certain humanitarian relief funds two to one, and will do so retroactively for donations made since February 25th.
  • The Ukrainian government calls on tech companies to cut business relations with Russia. Several tech companies stop (partly) with their services to Russia. In addition, cybersecurity company Proofpoint reports spearphishing attacks on European government agencies by various state actors. The aim seems to be that these actors try to gain more insight into the reception and migration of Ukrainians.







  • Russia invades Ukraine;
  • US President Biden has been presented with options for massive cyberattacks against Russia. The options presented include disrupting the internet across Russia, shutting off power and stopping trains in their tracks.
  • The Intercept reports that Meta reverses ban for expressing Azov support on Facebook.
  • Internet outages are reported in some parts of Ukraine.
  • After the invasion of Russian troops in Ukraine, various non-state actors have become involved in the conflict. That same evening, hackers collective Anonymous declares war on Russia. Subsequently, volunteers affiliated with this collective claim to have taken various Russian government and media websites offline through DDoS attacks. This group of volunteers also claims to have sensitive data from the Russian Ministry of Defense. These claims cannot always be verified, which can cause ambiguity and confusion.


  • Violent DDoS attacks targeting targets in Ukraine are being carried out. Various government websites are temporarily reduced or completely inaccessible. This includes the websites of various ministries. Simultaneously, several phishing campaigns are detected. In addition, during the evening of February 23, various parties reported a new wiper malware that they found on systems in Ukraine. ESET, Symantec and SentinelOne, among others, have published analyses. This malware is called HermeticWiper. There are functional similarities with the previously observed WhisperGate wiper campaign from January 13 and 14. The new wiper also aims to corrupt files and prevent computer systems from booting. This new malware seems to be more thorough than the wiper malware used in the previous campaign. There are currently no indications that this new wiper contains any functionality that could lead to a worm that could infect systems connected via the network.



  • There are several digital attacks on various targets in Ukraine. These include DDoS (Distributed Denial of Service) attacks that are used to affect the capacity of online services or the supporting servers and network equipment. The Ministry of Defense and two national banks in Ukraine are hit. An SMS campaign will also take place on February 15, with the message that ATMs are experiencing a technical malfunction. Official channels in Ukraine indicate that this is disinformation. There are no such disturbances. The NCSC currently has no concrete indications that targeted attacks on Dutch organizations are taking place related to the current situation around Ukraine.




  • The Ukrainian security service SSU issues a statement about an attack on the websites of various government parties. Messages are posted on the websites in which it is stated in threatening language in Polish, Ukrainian and Russian that the personal data of Ukrainian citizens have been stolen and that citizens should “prepare for the worst”. Such an attack in which a website is daubed is also called ‘defacement’. In a subsequent statement from the SSU, it becomes clear that in all likelihood there has been a supply chain attack on the supplier that maintains the websites, possibly in combination with a vulnerability in OctoberCMS (CVE-2021-32648) and Log4j. This supplier has elevated rights within the environment so that the websites can be adjusted.


VPN live tracker:

  • According to Top10VPN, between February 27- March 3 VPN use in Russia surged 668%, while Ukraine saw a jump of 609% during February 27-March 2.

Leave a Reply