In preparation for a data sprint with the University of Amsterdam, Michael Dieter has been keeping track of changes to platform policies. His document concerning Platform Geopolitics was initially published in the Tactical Media Room, a new signal group that was initiated by de Waag, Institute of Network Cultures and Freedom Internet to build a “network to support independent media in Ukraine, Russia and Belarus.”
Michael’s overview effort provides a captivating perspective on recent developments for all who are interested in having an informed debate about the current developments in internet governance.
- Internet Society Pulse is “Investigating internal hijacks for content providers on Russian networks“. Main take-aways:
- It seems that a good percentage of networks in Russia are generating false BGP announcements inside their network to redirect traffic destined to Twitter.
- Google publishes a blog about the actor Coldriver operating from Russia. This actor is said to have made phishing attempts at, among other things, a NATO department. Google has no evidence that these attempts have been successful. This group has been active since 2015 and in the past has attacked various targets such as ministries, NGOs and journalists.
- Internet Society Pulse observed significant increases in the rates of anomalous results in Russian Web Connectivity tests of the Open Observatory of Network Interference (OONI) (a global community measuring internet censorship around the world), compared to the week prior to the invasion. Main take-aways:
- Nearly all categories of web content saw at least some increase in failures to load, including the category of “Control content” (websites unlikely to attract the attention of any censor), suggesting an increase in the background of network congestion.
- some categories were impaired much more significantly than the average, including social networking (increase in anomalous tests from 4% to 26%), media sharing (from 8% to 20%), and foreign news media overall (from 8% to 20%).
- These measurements are consistent with Russia’s imposition of Internet content blocks to restrict the domestic availability of information about the Ukrainian war
- A service that continuously monitors changes in the routing table across the World, notified its followers of some suspicious activity involving a network that is held by Twitter.
- A major DDoS attack on the Ukrainian internet service provider Ukrtelecom ensures that services for customers of this provider are temporarily unavailable.
- A Russian internet provider does a short-lived BGP hijack of the Twitter address space. The BGP announcement ultimately has little effect because Twitter protects the BGP announcements with RPKI.
- Many Russian networks stopped propagating their routes through the Giganet Exchange in Kiev, therefore breaking the direct connections between Ukrainian networks.
- It might be that these networks deliberately decided to shut down their BGP peering sessions based on instructions from the Russian authorities.
- A major internet disruption caused by a cyberattack has been registered across Ukraine on national provider Ukrtelecom. Real-time network data show connectivity collapsing to 13% of pre-war levels. The attack was foiled and the company resumed its services.
- The Security Service of Ukraine (SBU) has destroyed five “enemy” bot farms engaged in activities to spread ‘panic’ among citizens. Over 100,000 fake accounts were allegedly used to spread misinformation about Russia’s invasion.
- Hacked WordPress sites force visitors to DDoS Ukrainian targets. Threat actors are compromising WordPress sites to insert a malicious script that uses visitors’ browsers to perform distributed denial-of-service attacks on Ukrainian websites.
- Max Stucchi (Regional Technical Advisor – Europe, Internet Society) and Robin Wilton (Director Internet Trust, Internet Society) checked some new data available in Cloudflare Radar, which provides per-Autonomous System Number (ASN) statistics. Main take-aways:
- Their goal was to check if Cloudflare’s data matched what they had already seen for some of the networks they were monitoring.
- However, they soon noticed a strange pattern and now speculate that the blocks they noticed could be part of the system that is helping the Russian government apply selective filters to content that is deemed inappropriate or, as mentioned in yesterday’s post, produced or served by what is considered as an “extremist organization”.
- Hanna Kreitem (Technical Expert, Middle East, Internet Society) and Max Stucchi (Regional Technical Advisor – Europe, Internet Society) started to look at the OONI Web Connectivity tests measurements, prior to the beginning of the conflict, from a different angle, examining the number of anomalies recorded. Main take-aways:
- They do see a slight increase in the number of anomalies reported, and a large increase in the number of tests run specifically on the 13th of March. This is the day before the Russian government announced that Instagram was going to be blocked.
- Increased Anomalies Expected.
- Anonymous publishes leak of the Central Bank of the Russian Federation.
- Internet Archive races to save Ukrainian web content.
- Three Russian spies have targeted energy infrastructure in 135 countries for five years in an attempt to allow the Russian government to remotely control power plants, the US Department of Justice alleges in a charge released on March 24.
- Google modifies its “advertiser-friendly content guidelines” and states: “Due to the war in Ukraine, content that exploits, dismisses, or condones the war is ineligible for monetization until further notice. This update is meant to clarify, and in some cases expand, our guidance as it relates to this war.”
- the new policy affects any website, app or YouTube channel.
- Within a few hours after Google modified its guidelines the Russian internet regulator, Roskomnadzor, announced its Google News block and states: “The mentioned U.S. Internet news resource provided access to numerous publications and materials containing unreliable, publicly significant information about the course of the special military operation in Ukraine.”
- Hordes of Ukrainian coders are splitting their time between doing their day jobs and fighting a cyber war with Russia. Over 311,000 people have joined a group called “IT Army of Ukraine” on the social media platform Telegram.
- Cert-UA reports a new wiper malware called Double Zero. This malware is distributed via .zip files.
- RIPE NCC organizes Cooperation Working Group Remote Session for an “Open Discussion on Internet Sanctions and Connectivity” with working group co-Chairs: Achilleas Kemos, Johan Helsingius and Desiree Miloshevicto.
- Russia opened a criminal case against journalist Alexander Nevzorov under its new law criminalising the publication of “false” information on the war in Ukraine.
- RIPE NCC publishes its analysis, dubbed “How Is Russia Connected To The Wider Internet?”, on the connectivity of the Russian Internet to the wider Internet and how this evolved around the Russian invasion of Ukraine and the connectivity effects due to sanctions. Main take-aways:
- The Internet currently consists of over 70,000 networks.
- At the network level, the Russian Internet is very interconnected and resilient, and RIPE NCC doesn’t see sanctions having much of an effect at that level.
- A comparison of pre- and post- invasion latency for a number of Russian networks indicates that some changes are detected that might be due to an increase in congestion (as seen at the beginning of the COVID pandemic).
- The larger picture is that not much has changed since the start of the Russian invasion of Ukraine.
- US President Joe Biden is warning companies in his country of potential Russian cyberattacks, including in response to Western sanctions against Russia.
- Ukraine CERT (CERT-UA) has released new details on a Chinese threat actor named Scarab targeting Ukraine. Main take-aways:
- SentinelLabs confirms it is associated with the suspected Chinese threat actor known as Scarab. The malicious activity represents one of the first public examples of a Chinese threat actor targeting Ukraine since the invasion began.
- Scarab has conducted a number of campaigns over the years, making use of a custom backdoor originally known as Scieron, which may be the predecessor to HeaderTip.
- While technical specifics vary between campaigns, the actor generally makes use of phishing emails containing lure documents relevant to the target, ultimately leading to the deployment of HeaderTip.
- Activists are targeting Russians with open-source “protestware, meaning a.o.:
- At least one open-source software project has had malicious code added which aimed to wipe computers located in Russia and Belarus.
- The most severe case of protestware so far took place inside a popular open-source project called node.ipc, which helps build neural networks. It is downloaded more than a million times every week.
- Protestware is just the latest of multiple attempts by activists to use tech to pierce Russian censorship and deliver anti-war messages.
- Russian banks are advising clients to stop updating software.
- Russia finds Meta guilty of ‘extremist activity’ with the remarks that:
- WhatsApp is “excused” because it doesn’t have a “public information sharing” function.
- But experts believe because there is no local and Kremlin-friendly alternative to WhatsApp.
- Cert-UA warns of attacks by hacker group InvisiMole. This group is linked to the Russian APT Gamaredon.
- Anonymous Hackers Fire ‘Warning Shot’ at Companies Refusing to Pull Out of Russia, this is done via Twitter.
- Roskomnadzor warns YouTube to stop ‘anti-Russian’ ads.
- RIPE NCC’s Chief Legal Officer, Athina Fragkouli, confirms RIPE NCC’s full compliance with the latest EU sanctions in their post “EU Sanctions and Our Russian Membership“. Main take-aways:
- EU sanctions on Russia have raised questions about RIPE NCC’s compliance with the new sanctions.
- EU sanctions also entail financial restrictions and consist of:
- (a) freezing the funds or economic resources of sanctioned entities and individuals
- (b) not making funds or economic resources available to these entities and individuals
- The registration of Internet number resources is considered to be an economic resource by the Dutch Ministry of Foreign Affairs (MFA) .
- The MFA confirmed there was no need to deregister the Internet number resources held by sanctioned parties.
- Other RIPE NCC services, such as the operation of K-root, are not considered to be economic resources.
- EU sanctions do not prohibit RIPE NCC from receiving payments from sanctioned parties.
- The new sanctions do not prohibit RIPE NCC services from being provided in Russia.
- RIPE NCC postpones invoicing Russian sanctioned members due to banking restrictions.
- Russian (dis)information campaigns on Twitter seem not targeted at the US or Europe, but at five major emerging economies: Brazil, Russia, India, China, and South Africa and also in general Africa and Asia. According to a comtemporary twitter analysis by Research Director of the Centre for the Analysis of Social Media, Carl Miller.
- PayPal expands services for Ukrainians by allowing peer-to-peer PayPal or Xoom payments without normal fees, along with the ability to transfer money to Mastercard and Visa cards, among other features.
- Natalie Campbell and Carl Gahnberg of Internet Society publish the Internet Impact Brief: “How Refusing Russian Networks Will Impact the Internet” and a Quick Analysis – “The Impact of Efforts to Disconnect Russia from the Internet“. Main take-aways:
- It is important to remember that the Internet is an incredible force for good. The pandemic has shown its potential to facilitate global efforts to find new ways of living, working and learning, and solving some of our toughest problems yet.
- Many civilians under oppressive regimes and victims of conflict rely on access to the global Internet for reliable information, and as a lifeline to keep themselves safe from harm.
- Restricting networks from the global Internet causes significant harm to key elements the Internet needs to exist and thrive.
- The impact of the politically motivated actions to prevent people from accessing the Internet might not be reversed as there is a significant risk that politically motivated actions to disconnect users from the global Internet set a precedent and trend that play into the hands of regimes seeking to censor, block and control Internet access.
- Companies that own and operate parts of the Internet’s infrastructure play an important role in the Internet’s ecosystem.
- Security Affairs reports a destructive Node-IRP package (malware attack) targeting organizations in Russia and Belarus.
- The “Platform Geopolitics in 2022: Russian invasion of Ukraine – an incomplete overview” by Michael Dieter has been published for the first time on the Internet Society Netherlands website.
- Large-scale Attempted Attack Against Popular Media. The Security Service of Ukraine reported an attempt of a large-scale cyberattack on the websites of popular Ukrainian media on March 17. Hackers also tried to attack the Slovo i Dilo web. Reported via the SBU’s account on Telegram that the websites were defaced using symbols banned in Ukraine.
- Vermin (UAC-0020) Hacking Collective Hits Ukrainian Government and Military with SPECTR Malware. The Ukranian Ministry of Defense notified CERT-UA about the distribution of e-mails containing malicious files and targeting the Ukrainian government and military entities. As a result of the attack, the victim’s computer would be infected with SPECTR malware.
- TechCrunch reports, the Russian Apple App Store lost 6,982 mobile apps since the Ukraine invasion began as companies remove their apps and games, according to data shared by app intelligence firm Sensor Tower;
- Meta removes deepfake of Ukrainian President Zelenskyy surrendering from Facebook;
- Ukraine legalizes the crypto-sector, as it receives millions in crypto donations.
- The Global NOG Alliance announed on the RIPE mailinglists that they started a new initiative (or a task force) called “Keep Ukraine Connected“, aiming at mobilizing global technical community to support Ukrainian operators and community with donating and delivering hardware that they need to keep the light on and Internet connectivity available in the country.
- Russian tech entrepreneurs to launch ‘Rossgram’ photo-share app after Instagram blocked by Russian authorities.
- The Security Service of Ukraine (SBU) claims to have captured a hacker who was helping to provide communications services for Russian troops inside Ukrainian territory.
- Slack, the lifeblood for internal communications at many businesses and organizations, has started disconnecting customers in Russia.
- Domain registrar and web hostNamecheap and e-mail marketing tool Mailchimp have pulled back their service in Russia & Belarus. Access Now Tech-Legal Counsel Natalia Krapiva claims that these parties have skipped due diligence & are now silencing some of Putin’s fiercest critics as civil society voices are also being taken offline in the process. Krapiva also stated:“It’s not going to be helpful to isolate Russian citizens and leave them only with state propaganda that’s inciting them and urging them to hate Ukrainians.”
- Ukrainian Internet Shrinks by Over 15%. Based on the data analysis of Internet Society Pulse Service with the Internet Outage Detection and Analysis tool (IODA) a decline can be concluded in the reachability of Ukrainian Internet address space since the beginning of the recent conflict with Russia. Over 15% of previously reachable Internet addresses are no longer responsive to probes from IODA.
- ‘Hacked’ Ukrainian TV Station Transmits Fake Zelensky Surrender Announcement. TV station Ukraine 24 falsely reported Wednesday that the Ukrainian President had urged Ukrainians to stop fighting and give up their weapons in what has been reported as disinformation. The program’s news ticker was hacked to display messages to appear as though they were coming from the president. The TV network confirmed that the news ticker was hacked and the messages were false. On the same day, a Telegram channel reported that hackers published to Ukrainian websites a deepfake video of the president repeating similar messages.
- Tracking Exposed special report TikTok content restriction in Russia published. Key findings include:
- “On March 7, TikTok made all the content posted by non-Russian channels unavailable to Russian users. This unannounced restriction removes an estimated 95% of the content previously available to Russian TikTok users;
- Content restriction is happening at the application layer rather than the transport layer, which requires the direct involvement of TikTok. It is the first time a global social media platform has restricted access to content at this scale;
- A network of coordinated accounts is using a loophole to post new content promoting Russian pro-war propaganda in Russia, despite the current ban on new content uploads.”
- The Computer Emergency Response Team of Ukraine (CERT-UA) reports a phishing campaign in which massive e-mails are sent on behalf of the Ukrainian government. Cobalt Strike, Grimplant and GraphSteel are used for the attacks.
- Instagram blocked in Russia.
- Researchers at Slovakia-based cybersecurity firm ESET have discovered a new type of destructive wiper malware – dubbed CaddyWiper – affecting computers in Ukraine, making it at least the third strain of wiper to have hit Ukrainian systems since the Russian invasion began.
- The New York Times newspaper opens a channel on Telegram, WhatsApp’s popular counterpart in Russia to provide “access to impartial, independent news about the Russia-Ukraine war“.
- Internet Disruption Following Cyberattack on Vinasterisk Network. Major internet disruption registered on the Vinasterisk network which serves Vinnytsia Oblast, western Ukraine. The operator reported a massive cyberattack with elements of sabotage.
- Statement by Kat Townsend, Web Foundation Interim Director of Policy: “The open internet in Russia must be protected. Here’s why.”
- Meta alters policy on hate speech and allows calls for violence against Russian soldiers and leaders on Facebook in Armenia, Azerbaijan, Estonia, Georgia, Hungary, Latvia, Lithuania, Poland, Romania, Russia, Slovakia and Ukraine;
- Instagram access to be blocked in Russia as general prosecutor’s office categorizes Meta as an “extremist organisation” following relaxed hate speech policies;
- Google announces the removal of Russian state-funded media channels globally on YouTube, expanding ban from just Europe; “Our Community Guidelines prohibit content denying, minimizing or trivializing well-documented violent events”;
- Twitter removes Russian Embassy’s tweet accusing pregnant bombing victim of being a crisis actor;
- Vice reports that Russian TikTok influencers are being paid to spread Kremlin propaganda;
- “Numerous campaigns have been coordinated in a secret Telegram channel that directs these influencers on what to say, where to capture videos, what hashtags to use, and when exactly to post the video”;
- Emillie de Keulenaar on Twitter: “does the moderation of Russian content on Western platforms (FB, TW) + Russia’s own “de-platforming” of Western social media suggest that Russian content is increasingly demarcated within Russian platforms?
- A group of academics, engineers, politicians, civil society members and entrepreneurs sign a Multistakeholder Imposition of Internet Sanctions. The group states that the invasion of Ukraine poses a new challenge for multistakeholder Internet infrastructure governance. In their statement, they discuss possible sanctions and their ramifications, layout principles that they believe should guide Internet sanctions, and propose a multistakeholder governance mechanism to facilitate decision-making and implementation.
- Anonymous has leaked 20 terabytes of data after a digital attack on the German branch of Russia’s Rosneft. The German intelligence service BSI has warned vital sectors in response.
- DuckDuckGo announces that sources of Russian disinformation would be ‘downranked’, prompting major user backlash;
- Google pauses its billing system for GooglePlay users in Russia impacting on the app economy, although free apps will still be available;
- Google announces a rapid Air Raid Alerts system for Android phones in Ukraine.
- RIPE Labs publishes their first report on “The Resilience of the Internet in Ukraine”.
- RIPE NCC official Response to Request from Ukrainian Government (including “Letter from the Vice Prime Minister of Ukraine to RIPE NCC” and “Response from Managing Director of the RIPE NCC”).
- Russian Internet Takes a Hit as Cogent Cuts Off Its Backbone Network. A major internet service provider’s disconnection is a new step toward the “splinternet” that adds fragmentation to the global communication network.
- Facebook breaks its own moderation rules to – temporarily – allow for some calls to violence against Russian invaders.
- U.S. President Biden and his administration are called on by more than 35 civil society organizations (amongst others Internet Society, Center for Democracy & Technology, Electronic Frontier Foundation, Free Press Unlimited, Human Rights Watch, Freedom House, Wikimedia Foundation, US Ukrainian Activists and World Wide Web Foundation) to ensure the people of Russia and Belarus are not cut off from the internet. The signatories deplore Russia’s invasion of Ukraine and urge that further restricting the internet in Russia and Belarus will only accelerate violence and repression.
- VPN use in Russia is surging as citizens try to bypass government’s tightening internet control. VPNs can allow users to access some of the websites and services that are blocked or restricted.
- Wetransfer discontinues it file server services in Russia and Belarus.
- Twitter launches Tor service allowing users in Russia to bypass internet blocks;
- Sony suspends access to the PlayStation store, and also cuts off hardware shipments and software launches in Russia.
- RIPE Labs publishes about “Internet Network Shutdowns in Russia”. There have been several calls for Russian Internet networks to be shut down in one way or another and announcements that Russia is going to make such cuts.
- Dutch internet providers block six Russian media websites. Websites Sputnik and RT were among the sites blocked.
- Internet Backbone Giant Lumen will stop routing traffic for organizations based in Russia.
- A group of more than 1,300 cultural heritage professionals – librarians, archivists, researchers, and programmers – are working together to identify and archive at-risk sites, digital content, and data in Ukrainian cultural heritage institutions while the country is under attack.
- Der Spiegel reports that the German BSI, part of the German Ministry of the Interior, warns of a digital attack. This would be an attack on critical infrastructure as a result of the aid that Germany has been providing to Ukraine since the start of the war.
- Instagram announces it will downrank posts from Russian state-affiliated media. Along with a number of additional measures:
- Pop ups: users who go to share stories originating with any of these accounts will now see a pop-up message cautioning them against spreading “Russia state-controlled media”… users who share stories with link stickers pointing to domains associated with Russian state media will get the same treatment.”
- Removal from algorithmic recommendations: “Content from Russian state-linked accounts will also no longer appear in Instagram’s algorithmically populated discovery areas, like Reels and the discovery tab, and Instagram says that it also won’t show up as readily in search either.”
- Hidden contact lists: “Instagram is also adding a new privacy measure for some users based in Ukraine and Russia. Now, private accounts based in those countries will have their following and follower lists private and their mutual friend lists hidden, adding a layer of protection that obscures real-life social connections.”
- Amazon announces AWS and delivery restrictions to Russia and Belarus:
- Shipment of retail products suspended to customers based in Russia and Belarus;
- No longer accept new Russia and Belarus-based AWS customers and Amazon third-party sellers.
- Access to Prime Video suspended for customers based in Russia;
- No longer take orders to the videogame New World;
- Ubisoft stops all sales in Russia;
- Report of websites blocked in Russia by Top10VPN.com:
- “We analyzed over 5,000 entries to Russia’s central registry of blocked websites and found over 200 domains relating to the Ukraine invasion have been banned since Feb 24”;
- Notable bans: Bellingcat.com, Facebook, Twitter, BBC News, Deutsche Welle, Ukrayinska Pravda, Meduza.io, Interfax-Ukraine, Radio Free Liberty sites and Voice of America;
- News sites: “over 120 domains now blocked, mainly Ukrainian news services but growing numbers of independent Russian and foreign services with local language sites”;
- Financial sites: “over 40 foreign exchange and cryptocurrency platforms blocked since the run on the rouble”;
- Full data by Simon Migliano on Websites Blocked in Russia Since Ukraine Invasion.
- Report on Russian web censorship. The website blocks in Russia are analysed by the Open Observatory of Network Interference (OONI), a non-profit free software project that aims to empower decentralized efforts in documenting internet censorship around the world. In general censorship in Russia is generally implemented in a decentralized way, as blocks are not observed on all networks, while ISPs adopt a variety of different censorship techniques. Other key findings (amongst others) are:
- Media censorship. Russia recently started blocking access to independent Russian news media websites (such as Dozhd and New Times) and foreign news media websites (such as BBC, Deutsche Welle, Russian version of Voice of America, and Russian service of Radio Liberty);
- Blocking of a website about captured and killed Russian soldiers. Russia blocked access to 200rf.com, which was created by representatives of the Ministry of Internal Affairs of Ukraine to share information about captured and killed Russian soldiers in Ukraine;
- Centralized throttling of Twitter. OONI data suggests that access to twitter.com was throttled in Russia between 26th February 2022 to 4th March 2022. As the throttling of twitter.com seems to have stopped across all ISPs in Russia at the same time (~08:00 on 4th March 2022 UTC), it appears to have been centralized. Moreover, interference to twitter.com appears to have changed from throttling to blocking (through the injection of a RST packet) on 4th March 2022;
- Blocking of Facebook and Twitter. OONI data shows that access to facebook.com and twitter.com was blocked in Russia by 4th March 2022 (primarily through the injection of RST packets);
- Decentralized censorship. Every Internet Service Provider (ISP) in Russia is responsible for implementing government-mandated blocks independently. As a result, they observe variance in how internet censorship is implemented across Russia, as blocks are not implemented on all networks in the country, and different ISPs adopt different censorship techniques. Some ISPs implement blocks through the use of multiple techniques at the same time, making circumvention harder.
- Different censorship techniques. To block websites, OONI data shows that Russian ISPs adopt the following censorship techniques (beyond throttling):
- DNS manipulation, redirecting in some cases to blockpages
- HTTP man-in-the-middle, serving blockpages
- TLS man-in-the-middle
- Injection of a RST packet after the ClientHello during the TLS handshake (most prevalent)
- Timing out the session after the ClientHello during the TLS handshake
- Closing the connection after the ClientHello during the TLS handshake
- ICANN Enacts Relief for Registrants in Ukraine and Surrounding Region. Registrants risked losing their domain names because they were unable to renew their domain names in a timely manner. The ICANN relief meant that registrars got the flexibility to extend the domain name registration renewal period for domain name holders in affected areas.
- Hacking groups such as Anonymous and the Cyber Partisans have claimed responsibility for cyberattacks on Russia’s banks, state broadcaster RT, and a Belarusian rail network reportedly used to move troops from Russia to Ukraine. Expert fear that hacking attacks and cyber warfare could lead Russia to cut itself off from the internet.
- Russian Internet Governance Forum (RIGF 2022) has been postponed.
- TikTok restricts new content from Russian users following new disinformation laws being passed in Russia;
- Netflix suspends services in Russia “given the circumstances on the ground”;
- Payments to Russian Twitch creators suspended;
- Excerpts from a Twitch email sent out: “payouts to the financial institution associated with your Twitch account have been blocked as a result of sanctions… Twitch complies with economic sanctions imposed by the United States and other governments, and is complying with those imposed in response to the situation in Ukraine. These sanctions may limit or impact your access to payouts, ability to monetize your stream, and/or financially support other creators.”
- Nexta tweets that Russia will begin ‘disconnecting’ from the global internet: “no later than March 11, all servers and domains must be transferred to the #Russian zone. In addition, detailed data on the network infrastructure of the sites is being collected.”
- PayPal shuts down services in Russia;
- Adobe announces all new sales stopped in Russia;
- Epic Games stops commerce with Russia;
- Shapchat disables heatmap of public Snaps in Ukraine;
- Nintendo announces the eShop in Russia is temporarily placed in maintenance mode “due to the fact that the payment service [it uses] has suspended the processing of payments in rubles.”
- New Russian disinformation legislation signed into law with penalties of up to 15 years in prison for spreading ‘fake news’ about the war;
- Russia blocks Facebook and Twitter access as announced by Russian state communications regulator Roskomnadzor;
- Publication of Institute of Strategic Dialogue (ISD) report, Support from the Conspiracy Corner: German-Language Disinformation about the Russian Invasion of Ukraine on Telegram with the following findings:
- “Pro-Kremlin disinformation has been actively spread in German-language Telegram channels from conspiracy and right-wing extremist channels prior to and in the first days of the war”;
- “ISD analysts have also detected attempts to disguise state Russian content as independent opinion, and pro-Kremlin propaganda lines repeated by German conspiracy influencers”;
- At the time of publication, “the channel of RT DE is still available on Telegram and the number of its subscribers is growing. Expelled from mainstream social media platforms, Russian state propaganda outlets are likely to intensify their activity on alternative platforms, where they can tap into existing networks of misinformation spreaders and conspiracy believers”;
- Following the publication of the ISD report, alongside reporting by Politico, Telegram removed these influencer channels from the platform.
- RT and Sputnik channels are also reportedly no longer accessible in the EU on the same day.
- Electronic Frontier Foundation publishes “Telegram Harm Reduction for Users in Russia and Ukraine”.
- Publication of Institute of Strategic Dialogue (ISD) report, Support from the Conspiracy Corner: German-Language Disinformation about the Russian Invasion of Ukraine on Telegram with the following findings:
- Mashable reports that Apple Maps now marks Crimea as part of Ukraine outside of Russia;
- Activision Blizzard suspends new sales of games and in-game purchases in Russia;
- AirBnB announces a suspension of all operations in Russia and Belarus.
- Activists are using ads to sneak real news to Russians about Ukraine. From pop-up notifications to Facebook ads, campaigners in Ukraine and beyond are using any means necessary to beat Russia’s information firewall.
- Amazon’s Twitch bans Russian state-owned media through a new policy which removes users who “persistently spread harmful misinformation.” Reportedly around 100 channels are blocked at the time of announcement.
- Statement from Andrew Sullivan, President and Chief Executive Officer Internet Society, on the Ukraine-Russia conflict: “Why the World Must Resist Calls to Undermine the Internet”.
- Warner Bros. and Disney have nixed upcoming movie releases in Russia.
- The Ukrainian SSU reports that local government websites have been hacked to post surrender messages. The SSU announces on Twitter that it concerns disinformation and calls on citizens not to take this information as true. The Ukrainian embassy in the United Kingdom also says it is suffering from digital attacks and is therefore difficult to reach.
- Netflix pauses all acquisitions and projects from Russia.
- Statements concerning EURALO Communique on Ukraine by Sebastien Bachollet (Chair EURALO Chair and Maureen Hilyard (ALAC Chair), ICANN’s Advisory Committees.
- Vice Prime Minister and Minister of Digital Transformation of Ukraine, Mykhailo Fedorov, has requested Xbox and Sony – via twitter – to block Russian and Belarusian accounts and prevent gamers and teams from participating in or hosting esports events.
- Official response to Ukraine’s request to ICANN concerning internet sanctions on Russia by Göran Marby, President & CEO | ICANN.
- Spotify announces a number of measures:
- RT and Sputnik removed from platform;
- Moscow office closed, although platform is still available to Russian users;
- Localized ‘trusted news’ sources feature added.
- As part of the EU sanctions against Russia following the invasion of Ukraine the EU officially boots Russia’s RT, Sputnik outlets. Main aspects are:
- The sanctions against the news groups were published in the EU’s Official Journal, effectively providing legal grounds to implement the Commission and EU governments’ decision to take both Russian state-run organizations off the air and offline within the bloc.
- The EU’s exceptional move is far-reaching and covers any means of transmission or distribution, such as cable, satellite, Internet Protocol television, internet service providers, video-sharing platforms and applications carrying content from RT and Sputnik.
- Licenses, authorizations and distribution agreements will also be suspended.
- The sanctions target Sputnik as well as five legal entities of RT, formerly known as Russia Today: RT English, RT UK, RT DE for German-language reports, RT France and RT en Español for Spanish-language reports.
- Apple CEO Tim Cook sent out an email to all 80.000 Apple employees addressing the Russian invasion of Ukraine and that Apple will be matching donations they make to certain humanitarian relief funds two to one, and will do so retroactively for donations made since February 25th.
- The Ukrainian government calls on tech companies to cut business relations with Russia. Several tech companies stop (partly) with their services to Russia. In addition, cybersecurity company Proofpoint reports spearphishing attacks on European government agencies by various state actors. The aim seems to be that these actors try to gain more insight into the reception and migration of Ukrainians.
- Google announces RT and Sputnik access removed from YouTube in Europe;
- Meta will “suppress the algorithmic spread of content” from Russian state-based media pages on Facebook and Instagram accounts, and downranking posts with any links to those outlets;
- Meta also announces encrypted direct messaging on Instagram in Ukraine and Russia;
- Apple announces several restrictions:
- Product sales are halted in Russia;
- RT and Sputnik are removed from the App Store in all markets outside of Russia;
- Traffic and live incidents in Apple Maps are disabled in Ukraine as a safety and precautionary measure for Ukrainian citizens;
- Snapchat pauses all advertising running in Russia, Belarus, and Ukraine;
- Roku removes RT from the Roku Channel Store in Europe;
- Reddit quarantines r/Russia due to ‘high volume’ of misinformation.
- ESET researchers uncover a new wiper that attacks Ukrainian organizations and a worm component that spreads HermeticWiper in local networks. The first strain, labelled HermeticWiper by researchers, was discovered on February 23rd, one day before Russia began the military invasion of Ukraine.
- Wikimedia Foundation calls for continued access to free and open knowledge as the Ukraine crisis continues.
- Wordfence researchers report hacks on websites of various Ukrainian universities during the start of the invasion. Wordfence attributes the attacks to the theMx0nda actor. This group has openly stated that it supports Russia in its war against Ukraine.
- Meta removes European access to RT and Sputnik from Facebook;
- TikTok removes European access to Russian state-owned media channels on their platform, along with restricting their ability to post new content to European users;
- Microsoft takes action across their platforms:
- “The Microsoft Start platform (including MSN.com) will not display any state-sponsored RT and Sputnik content. We are removing RT news apps from our Windows app store and further de-ranking these sites’ search results on Bing so that it will only return RT and Sputnik links when a user clearly intends to navigate to those pages. Finally, we are banning all advertisements from RT and Sputnik across our ad network and will not place any ads from our ad network on these sites.”
- Twitter adds new labels to posts from Russian state-owned media and takes measures to reduce their algorithmic reach;
- Google disables Maps live traffic tools in Ukraine.
- RIPE Labs publishes their findings concerning “The Ukrainian Internet”.
- Letter of Mykhailo Fedorov, Deputy Prime Minister, Minister of Digital Transformation | Ministry of Digital Transformation of Ukraine, to ICANN with Russia internet sanction request.
- Ukraine on Monday said it had received donated Starlink satellite internet terminals from Elon Musk’s SpaceX. The terminals look like home satellite television dishes and can provide relatively fast internet service, by residential standards, by connecting to a fleet of satellites in low orbit.
- RIPE NCC Executive Board approved a resolution on the provision of critical services. Their Executive Board believes that the means to communicate should not be affected by domestic political disputes, international conflicts or war. This includes the provision of correctly registered Internet numbering resources.
- The Belarusian Cyber-Partisans claim yet another digital attack on Belarus’ railways to thwart Russian troop movements. An up-to-date overview of cyber groups that have intervened in the conflict, including state actors such as Sandworm, can be found here.
- Taking the latest developments into account, the Dutch NCSC has published an action perspective and threat-specific measures. At the moment no active digital attacks on the Netherlands or Dutch interests are observed.
- EU announces ban on RT and Sputnik in a tweet by European Commission president Ursula von der Leyen: “the state-owned Russia Today and Sputnik, and their subsidiaries, will no longer be able to spread their lies to justify Putin’s war. We are developing tools to ban their toxic and harmful disinformation in Europe.”
- Meta removes access to Russian state-owned media accounts in Ukraine, along with other associated Russian-based accounts;
- Google removes RT app from Google Play in Ukraine;
- Telegram founder Pavel Durov posts to the platform: “in the event of an escalation of the situation, we will consider the possibility of partially or completely restricting the operation of Telegram channels in the countries involved for the duration of the conflict”, but then walks this back in a second post after backlash from users;
- Weibo removes more than 4,000 posts related to the invasion of Ukraine which were deemed to have “provoked war, made fun of the war, or spread vulgar content”;
- Douyin, TikTok’s Chinese version, removed over 3,500 videos associated with the war in Ukraine that included “vulgarity, content that trivialized the war, incendiary information, and unfriendly comments.”
- Based on the request of the Prosecutor General’s Office of the Russian Federation the access to Wikipedia is restricted by the telecom operators in the territory of the Russian Federation. Russian Wikipedia editors received the warning from The Federal Service for Supervision of Communications, Information Technology and Mass Media, also known as Roskomnadzor, claiming that the article Russian invasion of Ukraine (2022) contains false information, along with a threat that if the Russian Wikipedia editors don’t comply, the entire site will be blocked.
- Meta restricts Russian state-owned media from Facebook’s advertising network and other monetization features;
- Google pauses advertising revenue for RT and Sputnik on YouTube;
- Twitter announces suspension of advertising across the platform in Russia and Ukraine.
- Internet Society Pulse Service reports on Incremental service limitation in Russia, affected services are Twitter, Facebook and News Outlets. Launched in December 2020, Internet Society Pulse consolidates trusted third-party Internet measurement data from various sources into a single platform. They use the data presented there to examine Internet trends and tell data-driven stories so that policymakers, researchers, journalists, network operators, civil society groups and others can better understand the health, availability and evolution of the Internet.
- The Ukrainian Minister of Digital Transformation is calling on hackers worldwide to sign up for a “Ukrainian IT army”.
- Russia partially blocks Facebook for fact-checking state-owned media.
- Ransomware group Conti has announced its support for Russia in a statement. To support Russia, Conti threatens attacks on critical infrastructure of countries that turn against Russia. Ransomware competitor LockBit, on the other hand, reports to remain aloof in this war and to be motivated solely by financial ends.
FEBRUARY 24th – RUSSIA INVADES UKRAINE
- Russia invades Ukraine;
- US President Biden has been presented with options for massive cyberattacks against Russia. The options presented include disrupting the internet across Russia, shutting off power and stopping trains in their tracks.
- The Intercept reports that Meta reverses ban for expressing Azov support on Facebook.
- Internet outages are reported in some parts of Ukraine.
- After the invasion of Russian troops in Ukraine, various non-state actors have become involved in the conflict. That same evening, hackers collective Anonymous declares war on Russia. Subsequently, volunteers affiliated with this collective claim to have taken various Russian government and media websites offline through DDoS attacks. This group of volunteers also claims to have sensitive data from the Russian Ministry of Defense. These claims cannot always be verified, which can cause ambiguity and confusion.
- Violent DDoS attacks targeting targets in Ukraine are being carried out. Various government websites are temporarily reduced or completely inaccessible. This includes the websites of various ministries. Simultaneously, several phishing campaigns are detected. In addition, during the evening of February 23, various parties reported a new wiper malware that they found on systems in Ukraine. ESET, Symantec and SentinelOne, among others, have published analyses. This malware is called HermeticWiper. There are functional similarities with the previously observed WhisperGate wiper campaign from January 13 and 14. The new wiper also aims to corrupt files and prevent computer systems from booting. This new malware seems to be more thorough than the wiper malware used in the previous campaign. There are currently no indications that this new wiper contains any functionality that could lead to a worm that could infect systems connected via the network.
- The Ukrainian CERT-UA publishes a website report about malicious activities that they relate to the actor Buhtrap. The malware campaigns are said to aim to gain a foothold in the victim’s computer network.
- There are several digital attacks on various targets in Ukraine. These include DDoS (Distributed Denial of Service) attacks that are used to affect the capacity of online services or the supporting servers and network equipment. The Ministry of Defense and two national banks in Ukraine are hit. An SMS campaign will also take place on February 15, with the message that ATMs are experiencing a technical malfunction. Official channels in Ukraine indicate that this is disinformation. There are no such disturbances. The NCSC currently has no concrete indications that targeted attacks on Dutch organizations are taking place related to the current situation around Ukraine.
- CERT Ukraine (CERT UA) publishes some of the research into both the defacements and the attack with the malware. This study finds major similarities between the Whispergate malware and WhiteBlackCrypt ransomware. These similarities would indicate that the attacker’s intent was to make it appear that Ukraine itself is behind the cyber attacks. After the major attacks of January 14, it has issued several warnings to Ukraine’s national CERT about other campaigns targeting government agencies. Several cybersecurity companies have also published research in response to the cyberattacks in Ukraine. For example, Palo Alto Networks Unit42, Symantec and Microsoft have investigated the activities of Gamaredon, also known as ACTINIUM. For the time being, Gamaredon’s activities cannot be related to the cyberattacks of January 14. Gamaredon is a well-known actor who has targeted targets in Ukraine to date.
- Microsoft publishes a blog about the Whispergate malware (also called WhisperKill) that has been used against various (government) organizations in Ukraine. Whispergate is a wiperware that pretends to be ransomware, but it lacks any ability to repair corrupted systems or files, effectively erasing files or rendering the operating system inoperable. Unlike the NotPetya wiper, which had a global impact in 2017, the Whispergate malware does not have the ability to propagate itself without human intervention. As a result, the observed Wispergate malware poses a significantly lower risk for the Netherlands.
- The Ukrainian security service SSU issues a statement about an attack on the websites of various government parties. Messages are posted on the websites in which it is stated in threatening language in Polish, Ukrainian and Russian that the personal data of Ukrainian citizens have been stolen and that citizens should “prepare for the worst”. Such an attack in which a website is daubed is also called ‘defacement’. In a subsequent statement from the SSU, it becomes clear that in all likelihood there has been a supply chain attack on the supplier that maintains the websites, possibly in combination with a vulnerability in OctoberCMS (CVE-2021-32648) and Log4j. This supplier has elevated rights within the environment so that the websites can be adjusted.
VPN live tracker:
- According to Top10VPN, between February 27- March 3 VPN use in Russia surged 668%, while Ukraine saw a jump of 609% during February 27-March 2.