Russia appears to deploy digital defenses after DDoS attacks

The conflict online is mirroring the conflict offline: Amid Russia’s invasion of Ukraine, attacks and defense are being deployed in cyberspace. The Russian government appears to have deployed a digital drawbridge to protect websites, the Ukrainian government has issued a call to arms among local hackers, and alleged hacktivists have claimed credit for knocking the website of Russian state-run news service RT News offline.

On Thursday, Russian government websites went dark to some parts of the world after being targeted with a flood of web traffic via a distributed denial-of-service (DDoS) attack attempting to knock them offline. It’s unclear who directed the attack or if it was successful in disrupting the sites. 

However, cybersecurity researchers say the Russian government appears to be deploying a defensive technical measure known as geofencing to block access to certain sites it controls, including its military website, from areas outside Russia’s sphere of influence—complete with a joking nod to internet infrastructure. 

Ukrainian government sites were pushed offline last week during the run-up to the Russian invasion of Ukraine, the Record reported. The U.S. and the U.K. attributed those attacks to the Russian government. Cybersecurity researchers also said Wednesday that Ukrainian computer networks had been hit with malware designed to destroy data on their systems for the second time this year. The invasion began Thursday morning.

No one appears to have claimed credit for the DDoS attacks, which suggest they were unsuccessful, James Lewis, the director of the Strategic Technologies Program at the Center for Strategic and International Studies, told the Record. 

“DDoS is the most basic form of cyberattack, it’s not that hard—either Ukrainians or people who support Ukraine could have launched them again,” he said. 

Global network watchers noted the DDoS attacks, including Netblocks and Kentik director of network analysis Doug Madory. 

Now seeing DDoS attacks against Russian govt websites in possible retaliation to DDoS attacks against Ukrainian websites. #UkraineRussiaConflict

Among the RU targets, https://t.co/bvhrm8D6hb which is hosted by AS8291 (Russia State Internet Network). pic.twitter.com/4vhbO8NCte

— Doug Madory (@DougMadory) February 24, 2022

However, the targeted Russian government sites—including the primarily military domain, mil.ru—appear offline to some international visitors due to the apparent geofencing that limits traffic from sources outside Russia’s sphere of influence. 

“Based on the data we got, traffic to mil.ru appears to be administratively blocked from outside of Russia,” Madory told the Record, after he attempted to access the website from servers located around the world in response to our research inquiry. 

That means the people operating the website configured the servers to not actually show the content of the website to people trying to access it from overseas.

Instead, those attempting to access the website from blocked areas get an HTTP Error 418 response.

Confusion around the outage of some of the Russian government’s sites was also exaggerated by how Russian web servers handled the apparent DDoS attacks, showing a “418 I’m a teapot” error.

Starting out as a Google prank in the late ’90s, 418 server errors are not part of any official standard, but some web servers choose to serve them anyway. They are commonly used as a “network administrator inside joke” to block incoming traffic.

The errors are typically used as responses to DDoS attacks and website or API scraping attempts—as a way to let attackers know their actions have been discovered and are being actively blocked.

The joke and the apparent selective inaccessibility of the military site suggests Russia moved defensively to avoid potential embarrassment, according to Lewis. The Russian Embassy did not respond to a request for comment. 

The Russian government websites were also not the only ones that also faced DDoS attacks Thursday. Madory said he also observed traffic reflecting apparent attacks targeting major Russian banks Sberbank and Alfabank.

The dual targeting was later confirmed by Netlab, the network security division of Chinese tech giant Qihoo 360.

The perpetrators of these attacks remain unknown, but the sudden and senseless breakout of the Russo-Ukrainian armed conflict this week has also drawn a lot of sympathy on the side of the Ukrainian side, including from the Anonymous hacktivist group, which called on its members to attack Russian government targets.

In the face of dwindling odds, Ukraine will need all the help it can get. Lacking any military cyber units, Reuters reported Thursday that the country’s defense officials have called on the local IT and security researchers for help in a document shared on Telegram, asking them to protect critical infrastructure and mount cyber espionage missions against Russian targets.

Days before Russia’s invasion put boots and tanks on the ground, the EU said it would deploy a team of cybersecurity professionals to help Ukraine, but as of Friday, that help has not arrived—and may not at all because of the already-ongoing conflict.

In the meantime, many countries, including the U.S., the U.K., Australia, Germany, and New Zealand, have warned their private sector about the risk of potential spillover from any cyberattack conducted by Russian hackers. Some countries have also taken into consideration the possibility that Russia may respond to any economic sanctions via destructive cyberattacks out of sheer pettiness.

In a press conference Thursday, U.S. President Joe Biden said the White House was working with the private sector to be prepared for potential Russian cyberattacks and warned there would be retaliation.

“If Russia pursues cyberattacks against our companies, our critical infrastructure, we are prepared to respond,” Biden said, echoing a similar threat made by the U.K. secretary of state for defense earlier in the week.

Note: This story was updated Feb. 25th with additional reporting and a date correction.