Geo-political tensions between Russia and Ukraine continue to rise as Russian battalions and tanks gather near the Ukrainian border, portending an incursion. With all eyes on eastern Europe, the cyber security realm also stirs and prepares for cyberattacks originating from this tumultuous region. As a network operator or security practitioner, you need to decide what to do about this - right now.
Russia has used cyber attacks, an emerging 4th dimension of warfare, in advance of more traditional (land, sea, and air) doctrines in previous invasions of Georgia and Crimea. Some news outlets speculate that if Russia invades Ukraine, Putin could deploy a coordinated cyber attack on US and European banks to inflict economic chaos worldwide.
Recently, the US sent its top cybersecurity official, Anne Neuberger, to NATO to help European allies prepare for potentially massive Russian cyberattacks. The European Central Bank is preparing lenders for possible Russian cyberattacks, advising them to strengthen security measures and preparedness.
The time to prepare and execute your own posture on Russian and Crimean IP addresses has reached criticality.
ThreatSTOP has a simple, effective solution to block network communication with Crimea. But we discovered it wasn't really simple at all to block this new addition to the ITAR sanction list, while allowing communication with the rest of Ukraine.
Geo-blocking isn't rocket-science, until it is (or has to be). Looking for a list of IP addresses that represent a country? You're in luck, there are products available from a handful of vendors. If you want to automatically block IPs for whole countries, ThreatSTOP's geo targets (such as Russia, China and North Korea) will do the trick. But what about IPs for an area within a country? And what if the area was annexed by Russia? The question of whether an IP addresses is in Russia, Crimea, or Ukraine is a tricky one.
Pick any three of the geo-location vendors and you’ll get three different answers. For a given IP address in Crimea (we tested) one vendor will say “Yalta, Crimea”, one will say “Sadovoye, Respublika Adygeya” (somewhere fairly nearby in Russia) and one will say “Ukraine” and point you to Kiev. Take a different IP address and similar things will happen, only now the answers will change to “Moscow, Russia”, "Makaylolaiv, Ukraine" and the third will come back as “Simferopol, Crimea” etc. Every vendor has a different answer, and consistency is entirely out the window.
When you really dig down, all the IP geo-location services will tell you the results they give are accurate to within a radius of 100-1000km (depending on location, some will give you a specific accuracy per IP). 1000km from Crimea is useless in terms of accuracy, as it includes seven different countries surrounding the Black Sea and possibly over a dozen more. But even 100km accuracy is poor given that Crimea is peninsular, with dimensions of 200km N-S and 300km E-W. 1000k accuracy starts to feel like attempting detailed surgery with a logging axe.
So how do you use any of these commercial services to accurately block access to/from Crimea? Well... It turns out you don't. In fact, there’s a pretty simple alternative solution to blocking these potential indicators of compromise. But if you don't run your own anycast infrastructure, have your own ASN, and see the route advertisements change in real-time (like we can), it would still be a challenge.
All internet transit into Crimea is via a specially setup subsidiary of Rostelecom called "Miranda Media" that controls the fiber link across the Kerch Strait. Thus any IP address in Crimea will be advertised to the rest of the world via that ASN (AS 201776). This is of course a dynamic and changing list, and a couple of ISPs are just on the other side of the strait, but ThreatSTOP updates our threat intelligence and data sources continuously, taking the effort and risk out of it for customers. Our extensive protection platform offers various ways to block Crimea IPs for every organizations needs:
Using the AWS WAF and want to block ITAR (including Crimea)? Use our AWS WAF Managed Rules
Want to block DNS traffic to Crimea, sanctioned countries, and other threats? Check out DNS Defense
Want to prevent inbound attacks and machine-to-machine communications? IP Defense makes it easy
Want to know more about the contents of our ITAR and OFAC rules?
ThreatSTOP maintains a webpage that lists the various countries, geographic areas, and entities that are blocked when using our ITAR and OFAC protections. You can find that webpage here: https://info.threatstop.com/itar-ofac-contents
Not a ThreatSTOP customer yet? Want to see ThreatSTOP instantly eliminate communication with sanctioned countries and entities on your physical or cloud network?