Full Report
Ukraine has seen nearly one-fifth of its Internet space come under Russian control or sold to Internet address brokers since February 2022, a new study finds. The analysis indicates large chunks of Ukrainian Internet address space are now in the hands of proxy and anonymity services nested at some of America's largest Internet service providers (ISPs).
Analysis Summary
# Incident Report: Sale and Misuse of Ukrainian IPv4 Address Space Post-Invasion
## Executive Summary
Since February 2022, nearly one-fifth of Ukraine's Internet Protocol version 4 (IPv4) address space has come under the control of Russian-aligned entities or has been sold to shadowy proxy and anonymity services. This occurred as Ukrainian Internet Service Providers (ISPs), struggling financially due to the Russian invasion, sold off valuable IP address blocks to maintain operations. Consequently, much of this address space is now being routed through major US-based Internet Service Providers (ISPs) and heavily utilized by proxy services often abused for cybercrime, including attacks against Ukraine itself.
## Incident Details
- **Discovery Date:** Post-February 2022 (ongoing analysis; Kentik report published recently)
- **Incident Date:** Beginning post-February 2022
- **Affected Organization:** Multiple Ukrainian Internet Service Providers (e.g., Ukrtelecom, LVS, TVCOM, Trinity)
- **Sector:** Telecommunications / Internet Service Provision
- **Geography:** Ukraine, with addresses now routed through the USA (Amazon, AT&T, Cogent, Microsoft) and globally.
## Timeline of Events
### Initial Access
- **Date/Time:** Beginning February 2022, immediately following the full-scale invasion.
- **Vector:** Economic hardship forcing Ukrainian ISPs to sell essential assets.
- **Details:** ISPs like Ukrtelecom and LVS were forced to sell large blocks of their IPv4 address space to "secure financial stability and continue delivering essential services."
### Lateral Movement
- **Date/Time:** Post-sale/leasing period (2022–Present).
- **Vector:** Address space re-allocation and routing announcements.
- **Details:** Former Ukrainian IP ranges were scattered globally, with significant portions being announced (routed) by major US networks, including Amazon (AS16509), AT&T (AS7018), and Cogent (AS174).
### Data Exfiltration/Impact
- **Date/Time:** Ongoing.
- **Vector:** Abuse of leased/sold IP space by proxy services.
- **Details:** The re-routed IP space is now heavily used by commercial proxy and VPN services, which are frequently abused by cybercriminals to mask malicious traffic, including in cyberattacks against Ukraine. Stark Industries Solutions Inc., sanctioned for DDoS/spear-phishing, sourced some of its address space from impacted Ukrainian ISPs.
### Detection & Response
- **Date/Time:** Post-hoc analysis by Kentik researchers (Doug Madory), supported by Spur/spur.us analysis.
- **Response actions taken:** AT&T announced a policy change in February 2025, notifying certain customers that they must transition to routing using their own Autonomous System Number (ASN) by September 1, 2025. Other networks (like Cogent) remain potential targets for such routing practices due to ease of setup.
## Attack Methodology
- **Initial Access:** N/A (This is an economic/infrastructure vulnerability exploitation, not a traditional cyber intrusion).
- **Persistence:** N/A (The persistence is maintained through the routing of the acquired/leased IP blocks by third-party intermediaries like proxy networks).
- **Privilege Escalation:** N/A
- **Defense Evasion:** The use of anonymizing proxy networks mapped to former Ukrainian IPs makes tracing malicious traffic significantly difficult—traffic appears to originate from a legitimate (but foreign) IP range.
- **Credential Access:** N/A
- **Discovery:** N/A
- **Lateral Movement:** N/A (Movement is infrastructural—the IPs moved geographically via BGP announcements).
- **Collection:** Proxy services facilitate collection indirectly by masking the origin of cyber espionage or data theft operations.
- **Exfiltration:** Malicious traffic originating from these compromised IP blocks is used to conduct cyberattacks against Ukraine and others.
- **Impact:** Facilitation of cyberattacks and loss of national digital infrastructure neutrality.
## Impact Assessment
- **Financial:** Ukrainian ISPs sold or leased assets to secure short-term financial stability. Significant unquantified cost associated with mitigating cyberattacks originating from their former IP space.
- **Data Breach:** Not explicitly detailed, but the underlying proxy misuse enables various cybercriminal activities, including potential data theft.
- **Operational:** Loss of control over significant IPv4 address blocks (nearly one-fifth of the nation's Internet space) hampers national digital sovereignty.
- **Reputational:** The associated proxy services are widely abused for cybercrime, potentially linking the former addresses to malicious activity.
## Indicators of Compromise
*Note: Since this involves BGP routing changes rather than direct malware infection, traditional IOCs are limited.*
- **Network indicators (defanged):**
- Presence of BGP announcements for former Ukrainian ASNs being routed via AS16509 (Amazon), AS7018 (AT&T), AS174 (Cogent).
- High volume of outbound traffic from certain US ASNs originating from IP blocks previously associated with Ukrtelecom, LVS, TVCOM, or Trinity.
- Analysis linking IP ranges to commercial proxy services (e.g., IPRoyal).
- **File indicators:** None identified in the context.
- **Behavioral indicators:** High volume of traffic originating from former Ukrainian address space being used for proxy or anonymity services globally.
## Response Actions
- **Containment measures:** Limited direct containment by Ukrainian entities due to the sale/lease agreements.
- **Eradication steps:** N/A
- **Recovery actions:** AT&T is forcing customers using external IP space to re-authenticate their routes via their own ASNs by Sept 1, 2025, which may eliminate those specific proxy routes from AS7018.
## Lessons Learned
- **Key takeaways:** The critical value of IPv4 address space makes it a vulnerable asset during severe economic and geopolitical distress. Selling or leasing essential network infrastructure assets can lead to unintended long-term security liabilities when those assets are routed through third-party networks utilized by criminal actors.
- **What could have been done better:** Establishing clearer protocols or international agreements regarding the transfer/leasing of critical national digital infrastructure assets during wartime scenarios to prevent their subsequent weaponization.
## Recommendations
- **Prevention measures for similar incidents:**
1. **Infrastructure Sovereignty:** Ukrainian and other vulnerable ISPs should prioritize retaining control over essential routing infrastructure, seeking alternative funding mechanisms if necessary.
2. **ISP Contract Scrutiny:** Future leasing/brokering agreements must include stringent clauses prohibiting the use of the leased space by known anonymous proxy services or for malicious activity.
3. **Upstream Pressure:** Advocate for Tier-1 providers (like AT&T and Cogent) to implement and enforce stricter "no static route" or "source validation" policies universally to minimize the risk of external abuse within their networks.