Artificial Interruption
by Alexander Urbelis (alex@urbel.is)
On the Signal-to-Noise Ratio Concerning Ukrainian Relief
This column left off discussing a humanitarian disaster that was ongoing in Myanmar and the need for empathy among strangers. Since then, Russia has invaded Ukraine, there is a full-blown war on European soil, and the world's nations, including finally the United States, have accused Russia of perpetrating war crimes.
Results of an Attack from Ukrainian Army on Lugansk Regional Administration Building
The world has become familiar with the heartbreaking images of fathers pressing their hands to the windows of trains as a final valediction before their families, now refugees, are carried away and they must return to the frontlines to fight the Russians. We have all the seen the horror of a mother and her two children killed in plain daylight while crossing the street, we've seen images in the aftermath of a woman nine months pregnant injured by a bomb before her death and the death of her unborn child, and there are untold and unspeakable horrors happening to the people of Ukraine on a daily basis as Russia continues its siege and its indiscriminate and persistent bombing of civilian targets and areas.
As of the writing of this column, despite the supposed sophistication of Russian operators, the war has hitherto had very little to do with cyber operations. Though Conti, a ransomware gang known for both its excellent customer service and connections to the Russian government, vowed to support the Russian incursion by breaching and encrypting the data of Russia's detractors, this notorious bunch of threat actors quickly walked back that threat less than 24 hours after its utterance. Before they could, however, a Ukrainian security researcher released for public consumption nearly 100 GB of Conti chat logs, training materials, and other internal documents.
On Off The Hook in March, we had the pleasure of hosting Emma Best of Distributed Denial of Secrets. DDoSecrets has published close to a terabyte of leaked Russian materials, from official documents of the Russian censorship agency (the Roskomnadzor) to troves of documents that relate to oligarchs' oil interests and Russian state-affiliated companies such as Transneft and MashOil. Also on Off The Hook as a guest was Karina Shedrofsky, head of research at the Organized Crime and Corruption Reporting Project. Karina and her colleagues have been tracking the assets of Russian oligarchs for years, and put together an interactive Russian asset tracker that sheds great light on the hidden assets of Russian oligarchs and the jurisdictions that provide them haven.
A concerning trend, however, is for the target of hacktivism or leaks to claim that the hacktivist groups responsible for the attacks are actually operating at the behest of a hostile foreign nation. Branding hacktivists in this manner is not simply misinformation or deflection - it could signal that those responsible for the actions are being classified as enemy combatants. When dealing with a country like Israel which has had no qualms on multiple occasions with targeting enemies of its state for poisoning and assassination, that is a scary classification for anyone to carry.
Indeed, from saber-rattling with nuclear weapons to clamping down on news media and protesters, Russia has been trying exceedingly hard to discourage individual or collective opposition to its illegal war and to prevent actively supporting Ukrainian relief efforts.
Around the globe, we are all wondering how we can support Ukraine, and our inability to do so has left us wanting. With this in mind, I have observed a curious trend in the Domain Name System (DNS) since the outset of the war. Right around the time that the hostilities commenced, I began to monitor and track domain names that contain the string, ukrain*. That word stem would capture Ukraine' as well as Ukrainian and other variations. Since the beginning of the war, I have identified thousands of new domains, with daily registrations peaking at around 500 at the outset of the invasion and then tapering off to about 125 new domains appearing every day in April 2022. Nearly immediately, however, I noticed a very significant spike in domain names about donating to Ukraine.
By way of our steady, old friend grep, it was easy to identify domains that pertained to donations, aid, relief, NFTs, and, of course, cryptocurrency. As of writing this column, there were nearly 800 new domains that incorporated strings relating to aid and relief together with the string ukrain.
This is very much the type of gray area in which Russian operations thrive. Indeed, an often overlooked yet critical piece of understanding Russian politics is the role that Vladislav Surkov plays in advising Putin. Surkov was and is a manipulator who came from the world of the theater before rising to political power, holding the position of deputy chief of the Russian Presidential Administration from 1999 to 2011. Turning Russian politics into a shape-shifting mess of coalitions and ever-changing alliances and conflicts - and then letting it be publicly known that Surkov himself had artificially generated these coalitions and conflicts - was the Kremlin's tactic of keeping the masses confused, distrustful, and always questioning what was real and what was artificial.
Not surprisingly, on the heels of the invasion, there has also been an uptick in reports of donation fraud concerning Ukraine. Though many of these scams may originate on social media or via text message, much of the fraudulent activity will eventually rely on a domain name to host content, harvest credentials, siphon credit card details, or otherwise act as some form of pass-through for data or communications.
From the perspective of Russia, these domains and the fraud associated can be beneficial to their war efforts on several levels.
On one level, decreasing the signal to noise ratio (or increasing the noise to signal ratio) serves Russia because this type of fraud, and the media attention that it generates, will cause ordinary persons to have misgivings about donating to Ukrainian causes or relief efforts out of fear of being defrauded. From a policy perspective, given so much may be riding on the Ukrainians' ability to withstand sieges and sustained shelling and urban onslaughts - which would require aid and relief to withstand - it is not inconceivable that Russia could be encouraging this type of behavior under the table or turning a blind eye to criminals who engage in such fraudulent activity.
On a deeper and more sinister level, if Russian actors were behind the fraud themselves, they would be accomplishing the goal of deterring others from donating resources to Ukraine while also absconding with the funds and resources that well-meaning persons from around the world intended for Ukrainian relief.
And on yet another - albeit less - sinister level, there are many domains that track to Russia, either by registrar, registrant, name server records, or IP addresses. And if these domains relate to ordinary Russians, as some of the WHOIS data indicates, and those domains are not fraudulent, then given the authoritarian crackdown on dissent - or even contrary dialogue to the Kremlin's official position on the invasion - then those domains and the persons behind them should be lauded as heroic.
But then again, going back to Surkhov's playbook, how do we know what is real and what is fake, what is charity and what is fraud, what is a legitimate humanitarian effort and what is a dangerous honeypot of a brutal regime? It is one thing to talk about the dissonance and difficulty of ascertaining fact and fiction and another thing entirely to see it. For that reason, I am dedicating some space in this column to listing Ukraine-focused domains with Russian connections. And while I encourage readers to exercise caution and discretion if they intend to visit any of these domains, I am also very curious about what information from and connections between these domains can be derived.
To that end, I encourage readers to reach out to me directly via Twitter (@aurbelis) if they would like to receive the full list of all newly registered and aid-focused Ukraine-related domains, and I wish you all, in the meantime, happy hunting.
Domain Name Server IP Address aboutukraine.info ns1.beget.pro 87.236.16.73 aidforukraine.site ns2.reg.ru 194.58.112.174 aid-ukraine.info ns2.webhost1.com 91.236.136.57 airdpukraine.shop ns1.reg.ru 31.31.196.22 cats-dogs-ukraine.com ns2.fozzy.com 88.212.244.12 charityforukraine.org ns14.domaincontrol.com 178.248.234.146 chernobylukraine.com ns05.domaincontrol.com 178.132.201.54 diplomukraina.org ns1.eurobyte.ru 46.30.41.23 donate-to-ukraine.world ns4.nic.ru 195.24.68.29 donate-ukrain.com ns1.mchost.ru 185.105.110.4 donateukraine.charity curitiba.porkbun.com 78.40.217.96 donateukrainenow.online ns1.reg.ru 194.58.112.174 donateukraine.online ns1.nethouse.ru 185.84.110.85 flowers-ukraine.com ns2.beget.com 87.236.16.9 forukraine.world ns2.lighthosting.net 62.122.190.67 freeukraine.site ns10.uadns.com 185.165.123.36 goodsfromukraine.com ns45.domaincontrol.com 185.129.100.113 handofukraine.online --------------------- 23.105.244.169 helpsukraine.xyz --------------------- 23.105.244.169 help-ukraina.space blocked2.nic.ru 194.85.61.76 help-ukraine.auction pid2.srv53.org 94.103.188.153 helpukraine.icu ns1.he.net 81.28.13.179 help-ukraine.website ns2.reg.ru 31.31.196.4 hosting-ukraine.com ns.parktons.com 46.8.8.100 iherb-ukraine.com ns2.timeweb.ru 92.53.96.18 ilyaukrainets.com ns1.reg.ru 194.58.112.174 interview-ukraine.com ns3.nic.ru 89.104.84.244 jewsprayforukraine.com ns4.zomro.su 81.91.178.41 legal-support-ukraine.com ns25.domaincontrol.com 185.165.123.36 lifeukraina.online ns8.nic.ru 195.24.68.8 market-ukraine.xyz ns1.reg.ru 194.58.112.174 much-ukraine.xyz ns2.beget.pro 185.50.25.57 news24-ukraine.store ns1.beget.com 87.236.16.13 newukraina.com ns2.masterhost.ru 90.156.201.101 ngchildrenukraine.net ns2.ukit.com 185.129.100.127 osteology-ukraine.org ns116.inhostedns.com 185.165.123.36 polandviza-ukraine.com ns2.parktons.com 46.8.8.100 prayforukraine.space ns2.hosting.reg.ru 31.31.196.4 razonforukraine.com ns1.hosting.reg.ru 31.31.198.124 razonnforukraine.com ns2.hosting.reg.ru 31.31.196.230 russia-ukraine.com ns2.beget.com 87.236.16.254 saveukrainenow.company ns3.nic.ru 91.189.114.21 saveukraine.site ns2.beget.pro 87.236.16.247 saveukrainetoken.com ns4.timeweb.org 92.53.96.222 saveukrainewarefare.com r.ns.arvancdn.com 91.218.247.43 saving-ukraine.com ns3.digitalocean.com 141.8.195.65 sendflowersukraine.com ns2.netangels.ru 185.93.109.240 setukrainefree.com ns1.hosting.reg.ru 37.140.192.220 slavaukraine.fun ns1.justhost.ru 185.22.155.64 slavaukrainegeroyamslava.xyz ns2.hosting.reg.ru 37.140.192.82 slava-ukraini.site ns1.beget.com 5.101.152.161 smile-solutions-ukraine.agency dns1.registrar-servers.com 185.129.100.113 ukraine-save.com ns2.hosting.reg.ru 31.31.196.42 ukrainewarvideo.com ns2.beget.pro 87.236.16.75 ukraineweek.com ns2.reg.ru 194.58.112.174 ukraingood.com ns1.reg.ru 95.191.131.143 ukrainian-analyst.com ns3.timeweb.org 92.53.96.12 ukrainianparty.com ns2.beget.pro 87.236.16.251 wikirusiaukrainewar.com ns.parktons.com 46.8.8.100