2022 Ukraine cyberattacks

Last updated

Ukrainian Ministry of Foreign Affairs website defaced by hackers HackedForeignMinistry.PNG
Ukrainian Ministry of Foreign Affairs website defaced by hackers

During the prelude to the 2022 Russian invasion of Ukraine and the 2022 Russian invasion of Ukraine, multiple cyberattacks against Ukraine were recorded, as well as some attacks on Russia. The first major cyberattack took place on 14 January 2022, and took down more than a dozen of Ukraine's government websites. [1] According to Ukrainian officials, around 70 government websites, including the Ministry of Foreign Affairs, the Cabinet of Ministers, and the National and Defense Council (NSDC), were attacked. Most of the sites were restored within hours of the attack. [2] On 15 February, another cyberattack took down multiple government and bank services. [3] [4]


On 24 February, Russia launched a full-scale invasion of Ukraine. Western intelligence officials believed that this would be accompanied by a major cyberattack against Ukrainian infrastructure, but this threat did not materialize. [5] Cyberattacks on Ukraine have continued during the invasion, but with limited success. Independent hacker groups, such as Anonymous, have launched cyberattacks on Russia in retaliation for the invasion. [5] [6]

The Canadian government in an undated white paper published after 22 June 2022 believed "that the scope and severity of cyber operations related to the Russian invasion of Ukraine has almost certainly been more sophisticated and widespread than has been reported in open sources." [7]


At the time of the attack, tensions between Russia and Ukraine were high, with over 100,000 Russian troops stationed near the border with Ukraine and talks between Russia and NATO ongoing. [1] The US government alleged that Russia was preparing for an invasion of Ukraine, including "sabotage activities and information operations". The US also allegedly found evidence of "a false-flag operation" in Eastern Ukraine, which could be used as a pretext for invasion. [2] Russia denies the accusations of an impending invasion, but has threatened "military-technical action" if its demands are not met, especially a request that NATO never admit Ukraine to the alliance. Russia has spoken strongly against the expansion of NATO to its borders. [2]

January attacks

The attacks on 14 January 2022 consisted of the hackers replacing the websites with text in Ukrainian, erroneous Polish, and Russian, which state "be afraid and wait for the worst" and allege that personal information has been leaked to the internet. [8] About 70 government websites were affected, including the Ministry of Foreign Affairs, the Cabinet of Ministers, and the Security and Defense Council. [9] The SBU has stated that no data was leaked. Soon after the message appeared, the sites were taken offline. The sites were mostly restored within a few hours. [1] Deputy secretary of the NSDC Serhiy Demedyuk, stated that the Ukrainian investigation of the attack suspects that a third-party company's administration rights were used to carry out the attack. The unnamed company's software had been used since 2016 to develop government sites, most of which were affected in the attack. [9] Demedyuk also blamed UNC1151, a hacker group allegedly linked to Belarusian intelligence, for the attack. [10]

A separate destructive malware attack took place around the same time, first appearing on 13 January. First detected by the Microsoft Threat Intelligence Center (MSTIC), malware was installed on devices belonging to "multiple government, non-profit, and information technology organizations" in Ukraine. [11] Later, this was reported to include the State Emergency Service and the Motor Transport Insurance Bureau. [12] The software, designated DEV-0586 or WhisperGate, was designed to look like ransomware, but lacks a recovery feature, indicating an intent to simply destroy files instead of encrypting them for ransom. [11] The MSTIC reported that the malware was programmed to execute when the targeted device was powered down. The malware would overwrite the master boot record (MBR) with a generic ransom note. Next, the malware downloads a second .exe file, which would overwrite all files with certain extensions from a predetermined list, deleting all data contained in the targeted files. The ransomware payload differs from a standard ransomware attack in several ways, indicating a solely destructive intent. [13] However, later assessments indicate that damage was limited, likely a deliberate choice by the attackers. [12]

On 19 January, the Russian advanced persistent threat (APT) Gamaredon (also known as Primitive Bear) attempted to compromise a Western government entity in Ukraine. [14] Cyber espionage appears to be the main goal of the group, [14] which has been active since 2013; unlike most APTs, Gamaredon broadly targets all users all over the globe (in addition to also focusing on certain victims, especially Ukrainian organizations [15] ) and appears to provide services for other APTs. [16] For example, the InvisiMole threat group has attacked select systems that Gamaredon had earlier compromised and fingerprinted. [15]

Reactions to January attack


Russia denied allegations by Ukraine that it was linked to the cyberattacks. [17]


Ukrainian government institutions, such as the Center for Strategic Communications and Information Security and the Ministry of Foreign Affairs, suggested that the Russian Federation was the perpetrator of the attack, noting that this would not be the first time that Russia attacked Ukraine. [8] [18]

International organizations

European Union High Representative Josep Borrell said of the source of the attack: “One can very well imagine with a certain probability or with a margin of error, where it can come from.” [19] The Secretary General of NATO Jens Stoltenberg announced that the organization would increase its coordination with Ukraine on cyberdefense in the face of potential additional cyberattacks. NATO later announced that it would sign an agreement granting Ukraine access to its malware information sharing platform. [2] [8]

February attacks

DDoS attack

On 15 February, a large DDoS attack brought down the websites of the defense ministry, army, and Ukraine's two largest banks, PrivatBank and Oschadbank. [3] [20] [4] Cybersecurity monitor NetBlocks reported that the attack intensified over the course of the day, also affecting the mobile apps and ATMs of the banks. [3] TheNew York Times described it as "the largest assault of its kind in the country's history". Ukrainian government officials stated that the attack was likely carried out by a foreign government, and suggested that Russia was behind it. [21] Although there were fears that the denial-of-service attack could be cover for more serious attacks, a Ukrainian official said that no such attack had been discovered. [12]

According to UK government [22] and National Security Council of the US, the attack was performed by Russian Main Intelligence Directorate (GRU). American cybersecurity official Anne Neuberger stated that known GRU infrastructure has been noted transmitting high volumes of communications to Ukraine-based IP addresses and domains. [23] Kremlin spokesperson Dmitry Peskov denied that the attack originated from Russia. [24]

On 23 February, a third DDoS attack took down multiple Ukrainian government, military, and bank websites. Although military and banking websites were described as having “a more rapid recovery”, the SBU website was offline for an extended period. [25]

Wiper malware attack

Just before 5 pm on 23 February, data wiper malware was detected on hundreds of computers belonging to multiple Ukrainian organizations, including in the financial, defense, aviation, and IT services sectors. ESET Research dubbed the malware HermeticWiper, named for its genuine code signing certificate from Cyprus-based company Hermetica Digital Ltd. The wiper was reportedly compiled on 28 December 2021, while Symantec reported malicious activity as early as November 2021, implying that the attack was planned months ahead of time. Symantec also reported wiper attacks against devices in Lithuania, and that some organizations were compromised months before the wiper attack. Similar to the January WhisperGate attack, ransomware is often deployed simultaneously with the wiper as a decoy, and the wiper damages the master boot record of the device. [26] [27]

A day prior to the attack, the EU had deployed a cyber rapid-response team consisting of about ten cybersecurity experts from Lithuania, Croatia, Poland, Estonia, Romania, and the Netherlands. It is unknown if this team helped mitigate the effects of the cyberattack. [28]

The attack coincided with the Russian recognition of separatist regions in eastern Ukraine and the authorization of Russian troop deployments there. The US and UK blamed the attack on Russia. Russia denied the accusations and called them “Russophobic”. [25]

Viasat hack

The Viasat hack, which occurred between 5am and 9am EEST on 24 February, [29] might have been intended to disrupt Ukrainian military networks, which used Viasat’s network to provide them communications services. [30] [31] The attack might have intended to hit "aspects of military command and control in Ukraine". [32] [33] The attack "rendered inoperable thousands of Viasat KA-SAT satellite broadband modems in Ukraine, including those used by military and other governmental agencies, causing major loss in internet communication." [34] [30] [35] [36]

In a jointly-timed communication on 10 May 2022, many western governments adduced evidence that Russia was responsible for the attack because of their invasion. [37] [38] [39] [40] [41]

Initial Ukrainian response

On February 26, the Minister of Digital Transformation of Ukraine Mykhailo Fedorov announced the creation of an IT army, which will include cyber specialists, copywriters, designers, marketers and targetologists. As a result, numerous Russian government websites and banks were attacked. [42] Dozens of issues of Russian stars and officials have been made public, and Ukrainian songs have been broadcast on some television channels, including "Prayer for Ukraine". [43] [44]

March attacks

Ratio of DNS queries defensively blocked by Quad9 in Ukraine and Poland, 7-9 March 2022. Quad9 Ukraine cyber-attack ratios, March 2022.png
Ratio of DNS queries defensively blocked by Quad9 in Ukraine and Poland, 7–9 March 2022.

Beginning on 6 March, Russia began to significantly increase the frequency of its cyber-attacks against Ukrainian civilians. [45]

On 9 March alone, the Quad9 malware-blocking recursive resolver intercepted and mitigated 4.6 million attacks against computers and phones in Ukraine and Poland, at a rate more than ten times higher than the European average. Cybersecurity expert Bill Woodcock of Packet Clearing House noted that the blocked DNS queries coming from Ukraine clearly show an increase in phishing and malware attacks against Ukrainians, and noted that the Polish numbers were also higher than usual because 70%, or 1.4 million, of the Ukrainian refugees were in Poland at the time. [46] Explaining the nature of the attack, Woodcock said "Ukrainians are being targeted by a huge amount of phishing, and a lot of the malware that is getting onto their machines is trying to contact malicious command-and-control infrastructure." [45]

On March 28, RTComm.ru, a Russian Internet service provider, BGP hijacked Twitter's IPv4 address block for a period of two hours fifteen minutes. [47] [48]

See also

Related Research Articles

A blended threat is a software exploit that involves a combination of attacks against different vulnerabilities. Blended threats can be any software that exploits techniques to attack and propagate threats, for example worms, trojan horses, and computer viruses.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department. An analysis by the Defense Intelligence Agency in 2017 outlines Russia's view of "Information Countermeasures" or IPb as "strategically decisive and critically important to control its domestic populace and influence adversary states", dividing 'Information Countermeasures' into two categories of "Informational-Technical" and "Informational-Psychological" groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to "attempts to change people's behavior or beliefs in favor of Russian governmental objectives."

<span class="mw-page-title-main">Wiper (malware)</span> Malware designed to erase files on the host computer

In computer security, a wiper is a class of malware intended to erase the hard drive or other static memory of the computer it infects, maliciously deleting data and programs.

Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.

<span class="mw-page-title-main">Cyberattack</span> Attack on a computer system

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack (DDoS).

Cyberwarfare is a part of Iran's "soft war" military strategy. Being both a victim and wager of cyberwarfare, Iran is considered an emerging military power in the field.

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR); this view is shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

Lazarus Group is a cybercrime group made up of an unknown number of individuals run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and Zinc.

CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides cloud workload and endpoint security, threat intelligence, and cyberattack response services. The company has been involved in investigations of several high-profile cyberattacks, including the 2014 Sony Pictures hack, the 2015–16 cyber attacks on the Democratic National Committee (DNC), and the 2016 email leak involving the DNC.

<i>Petya</i> and <i>NotPetya</i> Family of encrypting ransomware discovered in 2016

Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.

<span class="mw-page-title-main">2017 Ukraine ransomware attacks</span> Series of powerful cyberattacks using the Petya malware

A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms. Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia. ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. On 28 June 2017, the Ukrainian government stated that the attack was halted. On 30 June 2017, the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.

REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

<span class="mw-page-title-main">Russian–Ukrainian cyberwarfare</span> Informatic component of the confrontation between Russia and Ukraine

Cyberwarfare is a component of the confrontation between Russia and Ukraine since the Revolution of Dignity in 2013-2014. While the first attacks on information systems of private enterprises and state institutions of Ukraine were recorded during mass protests in 2013, Russian cyberweapon Uroburos had been around since 2005. Russian cyberwarfare continued with the 2015 Ukraine power grid hack at Christmas 2015 and again in 2016, paralysis of the State Treasury of Ukraine in December 2016, a Mass hacker supply-chain attack in June 2017 and attacks on Ukrainian government websites in January 2022.

Sandworm is an Advanced Persistent Threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, and Iron Viking.

The IT Army of Ukraine is a volunteer cyberwarfare organisation created at the end of February 2022 to fight against digital intrusion of Ukrainian information and cyberspace after the beginning of the Russian invasion of Ukraine on February 24, 2022. The group also conducts offensive cyberwarfare operations, and Chief of Head of State Special Communications Service of Ukraine Victor Zhora said its enlisted hackers would only attack military targets.

Cyclops Blink is malware that targets routers and firewall devices from WatchGuard and ASUS and adds them to a botnet for command and control (C&C).

The Viasat hack was a cyberattack on American communications company Viasat affecting their KA-SAT network.


  1. 1 2 3 "Ukraine cyber-attack: Government and embassy websites targeted". BBC News. 2022-01-14. Archived from the original on 2022-01-15. Retrieved 2022-01-14.
  2. 1 2 3 4 Polityuk, Pavel; Balmforth, Tom (2022-01-14). "'Be afraid': Ukraine hit by cyberattack as Russia moves more troops". Reuters. Archived from the original on 2022-01-14. Retrieved 2022-01-14.
  3. 1 2 3 "Ukraine banking and defense platforms knocked out amid heightened tensions with Russia". NetBlocks . 2022-02-15. Archived from the original on 2022-02-24.
  4. 1 2 "Ukraine's defence ministry and two banks targeted in cyberattack". euronews. 2022-02-15. Archived from the original on 2022-02-23.
  5. 1 2 "Ukraine war: Don't underestimate Russia cyber-threat, warns US". BBC News. 2022-05-11. Retrieved 2022-05-12.
  6. "Anonymous: How hackers are trying to undermine Putin". BBC News. 2022-03-20. Retrieved 2022-05-12.
  7. "Cyber Threat Activity Related to the Russian Invasion of Ukraine" (PDF). Communications Security Establishment. Retrieved 2023-05-03.
  8. 1 2 3 Kramer, Andrew E. (2022-01-14). "Hackers Bring Down Government Sites in Ukraine". The New York Times. ISSN   0362-4331. Archived from the original on 2022-01-15. Retrieved 2022-01-14.
  9. 1 2 Polityuk, Pavel (2022-01-14). "EXCLUSIVE Hackers likely used software administration rights of third party to hit Ukrainian sites, Kyiv says". Reuters. Archived from the original on 2022-02-21. Retrieved 2022-01-16.
  10. Polityuk, Pavel (2022-01-16). "EXCLUSIVE Ukraine suspects group linked to Belarus intelligence over cyberattack". Reuters. Archived from the original on 2022-02-18. Retrieved 2022-01-16.
  11. 1 2 "Destructive malware targeting Ukrainian organizations". Microsoft Security Blog. 2022-01-16. Archived from the original on 2022-02-24. Retrieved 2022-01-17.
  12. 1 2 3 "Cyberattacks knock out sites of Ukrainian army, major banks". AP NEWS. 2022-02-15. Archived from the original on 2022-02-24. Retrieved 2022-02-17.
  13. Sanger, David E. (2022-01-16). "Microsoft Warns of Destructive Cyberattack on Ukrainian Computer Networks". The New York Times. ISSN   0362-4331. Archived from the original on 2022-02-23. Retrieved 2022-01-20.
  14. 1 2 Kyle Alspach (2022-02-04). "Microsoft discloses new details on Russian hacker group Gamaredon". VentureBeat . Retrieved 2022-03-22.
  15. 1 2 Charlie Osborne (2022-03-21). "Ukraine warns of InvisiMole attacks tied to state-sponsored Russian hackers". ZDNet . Retrieved 2022-03-22.
  16. Warren Mercer; Vitor Ventura (2021-02-23). "Gamaredon - When nation states don't pay all the bills". Cisco. Retrieved 2022-03-22.
  17. McMillan, Robert; Volz, Dustin (2022-01-20). "Ukraine Hacks Signal Broad Risks of Cyberwar Even as Limited Scope Confounds Experts". Wall Street Journal. ISSN   0099-9660. Archived from the original on 2022-02-24. Retrieved 2022-01-26.
  18. "News Ukraine government websites hacked in 'global attack'". Deutsche Welle. Archived from the original on 2022-01-14. Retrieved 2022-01-14.
  19. Brzozowski, Alexandra; Pollet, Mathieu (2022-01-14). "EU pledges cyber support to Ukraine, pins hopes on Normandy format". www.euractiv.com. Archived from the original on 2022-02-01. Retrieved 2022-01-31.
  20. Zilbermints, Regina (2022-02-15). "Ukraine Defense Ministry, banks hit by cyberattack amid tensions with Russia". TheHill. Archived from the original on 2022-02-24.
  21. Hopkins, Valerie (2022-02-15). "A hack of the Defense Ministry, army and state banks was the largest of its kind in Ukraine's history". The New York Times. ISSN   0362-4331. Archived from the original on 2022-02-17. Retrieved 2022-02-17.
  22. "Government response: UK assess Russian involvement in cyber attacks on Ukraine". UK government. 2022-02-18. Archived from the original on 2022-02-25. Retrieved 2022-02-25.
  23. "Biden says he's now convinced Putin has decided to invade Ukraine, but leaves door open for diplomacy". CNN. 2022-02-19. Archived from the original on 2022-02-19.
  24. "Нова кібератака на банки була "найбільшою в історії України" й досі триває". BBC. 2022-02-16. Archived from the original on 2022-02-24. Retrieved 2022-02-25.
  25. 1 2 "Cyber-attacks bring down many Ukraine websites". BBC News. 2022-02-23. Archived from the original on 2022-02-24. Retrieved 2022-02-24.
  26. "HermeticWiper: New data‑wiping malware hits Ukraine". WeLiveSecurity. 2022-02-24. Archived from the original on 2022-02-25. Retrieved 2022-02-24.
  27. "Ukraine: Disk-wiping Attacks Precede Russian Invasion". symantec-enterprise-blogs.security.com. Archived from the original on 2022-02-25. Retrieved 2022-02-24.
  28. "Ukraine: EU deploys cyber rapid-response team". BBC News. 2022-02-22. Archived from the original on 2022-02-24. Retrieved 2022-02-24.
  29. Raphael Satter, Satellite outage caused 'huge loss in communications' at war's outset -Ukrainian official, Reuters (15 March 2022)
  30. 1 2 Ellen Nakashima, Russian military behind hack of satellite communication devices in Ukraine at war’s outset, U.S. officials say, The Washington Post (28 March 2022)
  31. James Pearson, Raphael Satter, Christopher Bing and Joel Schectman, Exclusive: U.S. spy agency probes sabotage of satellite internet during Russian invasion, sources say, Reuters (12 March 2022)
  32. David Jones, Viasat network cyberattack linked to newly discovered Russian wiper, Cybersecurity Dive (1 April 2022)
  33. Gordon Corera, Russia hacked Ukrainian satellite communications, officials believe, BBC (25 March 2022)
  34. Juan Andres Guerrero-Saade and Max van Amerongen, AcidRain | A Modem Wiper Rains Down on Europe, Sentinel Labs (31 March 2022)
  35. Frank Bajak, Satellite modems nexus of worst cyberattack of Ukraine war, ABC News (31 March 2022)
  36. BURGESS, MATT (2022-03-23). "A Mysterious Satellite Hack Has Victims Far Beyond Ukraine". Condé Nast. Wired.
  37. U.S. DEPARTMENT OF STATE, Antony J. Blinken: "Attribution of Russia’s Malicious Cyber Activity Against Ukraine", US Department of State (10 May 2022)
  38. Foreign, Commonwealth & Development Office: "UK, EU, US and allies have announced that Russia is responsible for a series of cyber-attacks since the renewed invasion of Ukraine." (10 May 2022)
  39. Council of the EU, "Russian cyber operations against Ukraine: Declaration by the High Representative on behalf of the European Union" (10 May 2022)
  40. VICENS, AJ (2022-05-10). "UK, EU, US formally blame Russia for Viasat satellite hack before Ukraine invasion". CyberScoop.
  41. Manson, Katrina (2023-03-01). "The Satellite Hack Everyone Is Finally Talking About". Bloomberg L.P.
  42. Павлюк, Олег (2022-02-26). "Україна створює ІТ-армію — Федоров". Суспільне | Новини (in Ukrainian). Archived from the original on 2022-02-28. Retrieved 2022-02-28.
  43. Павлюк, Олег (2022-02-26). "Хакери атакували російські сайти і, ймовірно, зламали російські телеканали". Суспільне | Новини (in Ukrainian). Archived from the original on 2022-02-26. Retrieved 2022-02-28.
  44. "На каналах Росії українська музика: хакери зламали телебачення ворогів. Еспресо.Захід". zahid.espreso.tv (in Ukrainian). Archived from the original on 2022-02-28. Retrieved 2022-02-28.
  45. 1 2 Krebs, Brian. "Recent 10x Increase in Cyberattacks on Ukraine". Krebs on Security. Retrieved 2022-03-11. While our overall traffic dropped in Kyiv — and slightly increased in Warsaw due to infrastructure outages inside of Ukraine — the ratio of "good queries" to "blocked queries" has spiked in both cities. The spike in the blocking ratio Wednesday (March 9, 2022) afternoon in Kyiv was around 10x the normal level compared with other cities in Europe. This order-of-magnitude jump is unprecedented.
  46. "Ukraine Refugee Situation". UNHCR.
  47. Ullrich, Johannes. "BGP Hijacking of Twitter Prefix by RTComm.ru". ISC InfoSec. SANS. Retrieved 2022-03-28.
  48. "Possible BGP Hijack". BGPStream. Archived from the original on 2022-03-28. Retrieved 2022-03-28.