Weaponizing Stolen IPs: Russia’s Digital Exploitation of Ukraine in Cyber Warfare

An IPv4 address is a vital asset for online and network communication. Government entities and other institutions secure IPv4 addresses to maintain and secure their connectivity. Because of its role on the internet, owning this has also been the goal of individuals with nefarious intentions.

Such is the case in Ukraine, whose years-long war with Russia has devastated the country on many fronts. While the obvious is often seen in the news - nearly daily attacks on large cities and armed conflicts, Ukraine is also dealing with another form of loss online: its IPv4 addresses.

Ukraine’s Massive IPv4 Losses

According to Kentik, Ukraine’s IPv4 address space dropped by 18.5 per cent since the 2022 invasion. Various factors have led to this scenario: some ISPs in Ukraine have resorted to selling or leasing their IPv4 blocks to ensure they survive despite the occupation.

But aside from the selling and leasing of IPv4 addresses, Ukraine is also losing these resources through illegal means. According to UATV, occupation has led to the destruction of communication infrastructures and occupying forces securing login credentials to take over control of IPv4 addresses. These credentials were taken from personnel by force. After taking over control, the occupiers then register these IPv4 addresses as their own.

Effects of the Illegal Takeover of IPv4 Addresses

IPv4 addresses should be used by their rightful owner, and they could sell or lease them as they see fit. However, stolen IPv4 addresses could lead to serious consequences. These consequences are not only affecting Ukraine but also worldwide.

Masking Cyberattacks - an IPv4 address is an important tool for cyberattacks because it helps in concealing their location. The attack may have appeared to originate from a Ukrainian IP address, but it could have been carried out by a hacker located elsewhere. Because it identifies itself with Ukraine, finding the culprit could be challenging.

Communication Control - owning a large block of IPv4 addresses means controlling online communication. An occupier could take over ISP facilities and use the stolen IPv4 addresses to establish their own internet services. They could use this line of communication for various purposes, such as propaganda or even spying on the people using their internet.

Financial Source - because of the scarcity of IPv4 addresses, stolen IPv4 addresses could also be a source of income. Leasing or selling them is a possibility, even though they are not the rightful owner. Hackers are interested in these resources because they could be used to conceal their location.

The Role of RIPE NCC

RIPE NCC, the Regional Internet Registry covering Ukraine and Russia, has been criticized for its inaction on the takeover of IPv4 addresses. Allowing IPv4 addresses to be re-registered and not responding to requests for blocking, despite clear evidence of unlawful takeover.

For now, RIPE NCC’s response is “...by freezing the registration (not the use) of the Internet number resources in the RIPE Database. This means that sanctioned entities cannot acquire further resources or transfer resources.” This action occurred after IPv4 and IPv6 addresses were classified as assets and became subject to sanctions under EU regulations.

The situation in Ukraine shows that armed conflict is no longer confined to physical weapons. Cyber warfare is a reality, and nations must be fully aware of its implications. Protection of valuable Internet resources, such as IPv4 addresses, should be a priority for a country’s security.