Full Report
Starting June 9, 2025, Russian internet service providers (ISPs) have begun throttling access to websites and services protected by Cloudflare, an American internet giant. [...]
Analysis Summary
# Incident Report: State-Sponsored Throttling of Cloudflare Services in Russia
## Executive Summary
This incident details a widespread, state-sponsored operational disruption orchestrated by Russian Internet Service Providers (ISPs) against Cloudflare services, resulting in severe website inaccessibility for users within Russia. The disruption was primarily executed through sophisticated throttling and packet manipulation techniques across multiple protocols, impacting both civilian and anti-censorship tools. Cloudflare was forced to advise site operators to lobby local authorities as they could not unilaterally restore service.
## Incident Details
- **Discovery Date:** Not explicitly stated, but implies ongoing monitoring/discovery related to access degradation.
- **Incident Date:** Ongoing disruption reported at the time of the article.
- **Affected Organization:** Cloudflare and its client organizations relying on its services.
- **Sector:** Information Technology / Internet Infrastructure, affecting all sectors utilizing Cloudflare services.
- **Geography:** Russia (targeting users within the country).
## Timeline of Events
### Initial Access
- **Date/Time:** Not specified; ongoing effect.
- **Vector:** State-directed action by Russian authorities against core internet infrastructure providers.
- **Details:** Russian ISPs (Rostelecom, Megafon, Vimpelcom, MTS, and MGTS) began deploying throttling and blocking mechanisms.
### Lateral Movement
- Not applicable in the traditional sense of an internal network breach. The compromise is at the ISP/national infrastructure level.
### Data Exfiltration/Impact
- **Impact:** Widespread inaccessibility of websites utilizing Cloudflare services for users within Russia.
- **Details:** The throttling affected all connection methods and protocols, including HTTP/1.1, HTTP/2 (TCP/TLS), and HTTP/3 (QUIC). This technique also degraded anti-censorship tools like Psiphon.
### Detection & Response
- **Detection:** Cloudflare technical analysis revealed abnormal packet manipulation, including packet injection and packet blocking, leading to timeouts.
- **Response actions taken:** Cloudflare confirmed the technical nature of the throttling (affecting basic connectivity even when connecting to external servers) and subsequently urged affected site operators to lobby local Russian entities to lift the restrictions, as Cloudflare could not restore access unilaterally.
## Attack Methodology
- **Initial Access:** State directive/coordination leading to ISP network manipulation.
- **Persistence:** Ongoing throttling mechanisms implemented by ISPs.
- **Privilege Escalation:** Not applicable (State-level infrastructure control).
- **Defense Evasion:** Utilizing complex, multi-protocol throttling methods (packet injection/blocking) designed to degrade connectivity rather than simply block an external service endpoint.
- **Credential Access:** Not applicable.
- **Discovery:** Not applicable.
- **Lateral Movement:** Not applicable.
- **Collection:** Not applicable.
- **Exfiltration:** Not applicable.
- **Impact:** Denial of Service (performance degradation/timeouts) leading to widespread service unavailability.
## Impact Assessment
- **Financial:** Unspecified, but significant loss of business/traffic for organizations served by Cloudflare within Russia.
- **Data Breach:** None reported; the primary impact was service disruption.
- **Operational:** Substantial disruption to the availability of services relying on Cloudflare for users in Russia.
- **Reputational:** Potential reputational damage to the continuity of service for affected websites.
## Indicators of Compromise
- **Network indicators:** Unexpected high packet loss percentages reported by Cloudflare monitoring.
- **File indicators:** None specified.
- **Behavioral indicators:** Widespread timeouts and degradation of web traffic across multiple protocols (TCP, TLS, QUIC) targeting Cloudflare IPs within Russian ISP networks, including evidence of packet injection.
## Response Actions
- **Containment measures:** Cloudflare could not contain the ISP-level throttling.
- **Eradication steps:** None initiated by Cloudflare; dependent on Russian regulatory action.
- **Recovery actions:** Cloudflare advised clients to initiate lobbying actions with local Russian regulatory bodies.
## Lessons Learned
- **Key takeaways:** State actors can effectively weaponize existing ISP infrastructure (ISPs like Rostelecom, MTS) using sophisticated throttling and packet manipulation techniques to achieve massive, targeted service degradation against global infrastructure providers like Cloudflare.
- **What could have been done better:** Reliance on public domain reports for incident timeline rather than internal organizational disclosure.
## Recommendations
- **Prevention measures for similar incidents:** Organizations relying on cross-border service providers operating in regions with potential state-actor interference should explore diversified delivery methods or deploy localized infrastructure backups where geopolitical risks are high. Cloudflare should continue engaging with digital rights organizations (like Roskomsvoboda) to document these systemic infrastructure abuse patterns.