ENISA’s Threat Landscape Report 2022 – Part 8 – Impact of Russian war

ENISA's Threat Landscape Report 2022 - Part 8 - Impact of Russian war

The impact of Internet usage and the unrestricted dissemination of information is being felt by every individual in Europe. The internet has become an essential requirement for a significant number of people, enabling them to work, study, express their opinions freely, participate in political discourse, and interact socially.

Internet Infrastructure Physical Take-Over and Destruction

Russia has been taking active measures to seize internet infrastructure since the invasion of Ukraine. This includes diverting traffic through Russian networks, such as in the case of Kherson where local providers were forced to relinquish control and reroute mobile and internet traffic over Russian-owned networks. These actions allow Russia to control the narrative surrounding the war, prevent information leaks, block access to social media, and perform surveillance activities.

Ukraine’s cellular networks are being shut down, forcing residents to use Russian mobile service providers. Additionally, there are reports of the destruction of communication infrastructure. According to the Ukrainian government, as of June 2022, approximately 15% of the internet infrastructure had been destroyed. To ensure the operations of the country’s critical infrastructure, the Ministry of Digital Transformation is exploring alternative means, such as the use of satellite internet systems (Starlink).

Active Censoring

Around 3,000 websites have been subjected to blocks in Russia since February 2022, primarily related to the Russian invasion of Ukraine. The list of high-profile news and social media websites that have been blocked includes Instagram, Facebook, Twitter, Google News, BBC News, NPR, Die Welt, The Telegraph, Bellingcat, and Amnesty International, with around a thousand of these websites being Ukrainian.

To measure various forms of internet censorship, volunteers in approximately 160 countries use OONI Probe, a software that collects and publishes real-time data. According to data analysis of Russian traffic, the most commonly used method for censorship is the injection of a RST packet following the initial phase of the TLS handshake, followed by DNS-based filtering. Since December 2021, Tor has also been subject to blocking, with 15 out of 65 tested AS networks indicating that Tor is being blocked, although it is still accessible on most networks in Russia.

In response to disinformation on Ukraine, Europe announced the suspension of media broadcasting activities of Sputnik and RT in the EU. While the decision pertains to the media broadcasting activities of RT, some European countries and social media platforms are also blocking access to the websites of Russian outlets.

State-owned Certificate Authority

After the war in Ukraine, many western governments imposed sanctions on Russia. Sanctions on financial institutions prevented Russian users from renewing their TLS certificates, resulting in many websites presenting expired certificates, leading to untrusted connections for the user. In response, the Russian Ministry of Digital Development began offering a free alternative for legal entities in Russia to create a certificate.

Certificate authorities issue certificates and are considered trusted parties when vetted. However, when the state owns the certificate authority (CA), it becomes straightforward for them to perform HTTPS traffic interception and man-in-the-middle attacks on its citizens. Due to ongoing attacks and the global lack of trust in Russia as a partner, the CA is only trusted on two browsers, Yandex and Atom. Any other web browser will warn or prevent a user from accessing the website. For end-users in Russia, the limitations on purchasing certificate renewals have negatively impacted their internet security and privacy.

BGP Hijacking

BGP hijacking is a technique used by attackers to manipulate internet traffic, by falsely announcing ownership of IP prefixes, which are groups of IP addresses. This can result in incorrect routing, data interception, blackholing, or redirection to another website. In blackholing, the data is dropped from the network. BGP hijacking can have a significant impact, as erroneous announcements can spread beyond the original target area. Sometimes, BGP hijacking incidents can also result from misconfigurations, making it challenging to determine if an incident is malicious or unintentional.

In February 2021, attackers used BGP hijacking to steal nearly two million dollars from the South Korean cryptocurrency platform KLAYswap. They targeted the server infrastructure of one of its providers, KakaoTalk, by falsely advertising ownership of one of its websites. During the two-hour hijack, the attackers served a malicious JavaScript SDK file. When a transaction was detected on the platform, the added code hijacked the funds and sent them to the attacker’s wallet.

In March 2022, Twitter was briefly hijacked through a Russian ISP, which was believed to be the result of a misconfiguration.


About this article
This article was written based on the ENISA’s Threat Landscape Report 2022. To read the full version of the report click here.

Add a comment


Submit a Comment

Your email address will not be published. Required fields are marked *