Weaponization of stolen IP addresses -- how Russia is exploiting Ukrainian digital resource in its war against Ukraine

Weaponization of stolen IP addresses -- how Russia is exploiting Ukrainian digital resource in its war against Ukraine

Ukrinform
RIPE NCC continues to serve occupying administration entities contrary to EU sanctions

At a time where cyber threats have become a new weapon, Europe finds itself facing an invisible but real danger. Russia is using Ukrainian digital resources it had stolen during the occupation of part of Ukrainian territories for its cyberattacks and disinformation operations. We are not talking about abstract technologies, but about specific IP addresses – networks’ “digital passports" through which all Internet traffic passes.

After Russia had occupied part of Ukrainian territories in 2014 and 2022, a number of Ukrainian Internet service providers lost not only their property, but also their IP addresses, which were taken over by Russian companies. Technically, these resources were re-registered through the international non-profit organization RIPE NCC, headquartered in Amsterdam. Despite appeals from Ukrainian lawyers and the Ukrainian Internet Association, RIPE refuses to respond, hiding behind “neutrality” and the slogan “the Internet is beyond politics.”

Photo via freepik

WHAT AN IP ADDRESS IS AND WHAT MAKES IT IMPORTANT

 An IP address (Internet Protocol address) functions like a unique digital "passport" or a home address for devices connected to the internet. 

It is a numerical label assigned to every device (computer, smartphone, server, etc.) participating in a computer network that uses the Internet Protocol for communication.

It provides information about the approximate geographic location (city, region, country) of the device.

It allows information (data packets) to be correctly addressed and routed across the internet from the sender to the intended recipient, much like a postal service uses physical addresses to deliver mail. 

In simpler terms, you need a destination address for information to travel to the right place online, and that is the fundamental purpose of the IP address.

Each address belongs to a certain service region, which is allocated by RIPE Network Coordination Centre (RIPE NCC).

RIPE NCC is one of five Regional Internet Registries (RIRs) worldwide. It is a non-profit organization responsible for allocating and registering Internet number resources (IPv4 and IPv6 addresses, and Autonomous System (AS) numbers) to ensure the efficient operation of the internet in its specific service region. 

RIPE NCC covers Europe, the Middle East, and Central Asia.

It manages the allocation of IP addresses in this region, which prevents duplication and ensures that every device on the internet can be uniquely identified, effectively maintaining the internet's addressing system.

Its members include Internet Service Providers (ISPs), large corporations, academic institutions, and governments who require blocks of IP addresses to operate their networks.

IP addresses are not unlimited, and getting new ones is surprisingly difficult today.

“Any numerical sequence in these digital identifiers is limited,” Oleksandr Fedienko, member of the Servant of the People parliamentary faction and former head of the Ukrainian Internet Association, explained in a comment to Ukrinform. “There are practically no free IP addresses left in the world, so they are gaining significant value. They are already perceived not just as a technical resource, but as an economic asset that can be monetized.”

Oleksandr Fedienko

So, IP is a limited economic asset, similar to land or mobile communication frequencies. According to experts in the IP resource market, one IPv4 address currently sells for 35 to 50 euros on shadow or semi-official frequency exchanges. Major telecom companies own hundreds of thousands of such addresses, so the loss of even a few thousand units amounts to millions in losses.

In addition to economic value, IP addresses also have strategic value. Government communications, banking transactions, and critical infrastructure signals pass through them. Therefore, control over them is a matter of national security.

That is why the theft of Ukrainian IP addresses poses risks not only for Ukraine.

Through these resources, Russian entities can disguise their cyberattacks as Ukrainian or European ones, making it difficult to trace down the source. This threatens the digital security of the entire continent.

Google Maps Street View

RIPE NCC is one of five Regional Internet Registries (RIRs) worldwide. The organization was conceived as a technical community, independent of politics, but this is the principle used today by aggressor states.

After receiving IP addresses, a company becomes a member of the RIPE system, gains access to the technical platform and can participate in voting and elections of the organization's governing bodies. This principle, according to Fedienko, allows the Russian side to influence RIPE decisions, as it controls a significant number of IP resources.

Ukraine has long remained passive in RIPE processes, while Russia has systematically built up its influence.

“Over the years, the Russians have actually taken over control over RIPE. They have put their own people on the board, including citizens of EU countries affiliated with Russia. We, for our part, have also tried to get our representative there even before the full-scale war, but we have never succeeded. Because the Russians immediately began to impose a narrative like Ukraine is a small country, it has few resources, but Russia is big, it deserves more,” the lawmaker adds.

Oleksandr Fedienko emphasizes: the theft of IP addresses is a direct consequence of the occupation, which was accompanied by torture and coercion. Communication operators in the occupied territories, who legally received these “digital passports” through the RIPE NCC, were deprived of them by force.

“I know about a situartrion in Kherson where these resources were forcibly taken from our communication operators through tortures. Because they are not that easy to take without knowing the appropriate login and password,” says Fedienko.

Having received access, the Russians submitted re-registration applications to RIPE, and the international registry, citing “being beyond politics”, made the changes. This poses a direct threat to security, the Ukrainian lawmaker warns.

Moscow’s information expansion in the currently occupied Ukrainian territories is carried out through particular “state-owned” unitary communication enterprises and telecommunications providers created under the auspices of its installed administrations. They are the ones who use the largest blocks of stolen IP addresses.

The list of such entities includes:

● State Unitary Enterprise of the Donetsk People’s Republic “Ugletelecom”;

● State Unitary Enterprise of the Donetsk People’s Republic “Comtel”;

● Republican Communication s Operator “Phoenix”;

● State Unitary Enterprise of the Luhansk People's Republic “Republican Digital Communications””.

This is just a few of the enterprises involved in Russia’s information expansion campaign.

HIDDEN SHIELD BEHIND RUSSIAN CYBERAGGRESSION

Andriy Pylypenko, a lawyer at a law firm that defended Ukraine’s interests in a lawsuit in the Netherlands over the return of the Scythian gold collection to Ukraine and defended National Guardsman Vitaly Markiv in a criminal case in Italy, is currently working as part of an ad hoc group to help shape Ukraine’s legal position regarding the forced freezing of stolen IP addresses. He argues that these entities play a key role in providing information support to the occupying regime, which is why they have long been under sanctions. RIPE NCC deliberately turns a blind eye to this circumstance.

Andriy Pylypenko

“Not only did they expropriate IP addresses, but also, under the guise of providing access to “their Internet network,” actively facilitated the holding of sham referendums and elections in the occupied territories, publicly called for their holding and in various forms campaigned for support for the aggressor’s actions. They also provide the occupying authorities, their “bodies” and armed formations an access to the digital coordination infrastructure, spread Russian propaganda and conduct cyberattacks against Ukraine,” the lawyer explains in a comment to Ukrinform.

In addition, the above-mentioned entities are paid by people in the occupied territories for providing the Internet access, channeling the money, in particular, to the budgets of the illegal entities of the “DPR” and “LPR” and the occupying authorities on the ground, and to finance terrorist and subversive activities aimed at harming the sovereignty and national security of Ukraine.

“The issue of RIPE NCC not severing relations with these enterprises located in the occupied territory is used by Russian propaganda to legitimize these territories as Russian, saying: look, Europe recognizes us,” the MP emphasizes.

This stolen resource becomes a hidden shield behind Russian cyber aggression. Ukraine has blocked most of the Russian digital identifiers, but hasn’t done the same to the stolen ones.

“The Ukrainian digital identifiers stolen by the Russians remain unblocked by us. They can use them. It’s like a car with Ukrainian license plates, which a Russian is driving and trying to blow it up. What will the media say then? That the Ukrainian car blew up. But no one will remember who the driver was. Approximately the same story is happening here,” Fedienko draws an analogy, explaining the mechanism of camouflaging cyberattacks.

CRIMINAL LIABILITY FOR “BEING BEYOND POLITICS”

RIPE NCC’s inaction has long since gone beyond the technology domain and has moved into the legal domain. Lawyer Pylypenko explains that back in 2018, the Ukrainian Internet Association warned RIPE against cooperating with the “L/DPR”, but then the organization refused to react, stating that IP addresses are supposedly not an “economic resource” and therefore do not fall under EU sanctions.

This controversy went on until at last the Dutch Foreign Ministry, the government agency empowered to interpret sanctions, provided a clear explanation.

The RIPE NCC (the Regional Internet Registry for Europe, the Middle East, and Central Asia) explained in a 2021 update that its Dutch Ministry of Foreign Affairs (MFA) had clarified that IP resources (IP addresses) are considered "economic resources" under EU sanctions regulations. The RIPE NCC is legally required to freeze the registration of any IP addresses already held by sanctioned individuals or entities.

It is prohibited from making any additional IP resources available to them. 

The RIPE NCC board publicly disagreed with this interpretation, arguing that access to the internet and IP resources should not be affected by political disputes, arguing that the DPR/LPR are on their member lists. This is despite the blatant fact that even in the official RIPE database, these illegal entities mention full information about themselves, with impunity and without any consequences, referring to themselves as “state enterprises” of the so-called “DPR” or “LPR.” Of course, illegal quasi-state entities cannot be members, but the business entities controlled by them are members – the “ministries” and “state institutions” created by the occupiers,” the lawyer explains.

RIPE NCC then requested an exemption from the sanctions. However, the Dutch MFA stated there was no legal basis for such a blanket exemption. The RIPE NCC has since worked to find legal alternatives to minimize the impact of sanctions on internet connectivity where possible. 

In 2021, Ukrainian President committed to personally overseeing this controversy, instructing relevant bodies to work out mechanisms to ensure the stolen IP resources currently used by illegal quasi-state entities in the occupied territories are returned back to Ukraine or frozen.

At the end of 2021, a mechanism for appealing to the competent authorities of the Kingdom of the Netherlands was discussed, but the process was put on hold due to the full-scale invasion.

The issue was re-addressed in the summer of 2022. “Then we had already held direct consultations with the head of RIPE NCC and the lead figures in its legal department. We were explaining to them, “Now that the full-fledged invasion has begun, the political situation in the world demands that you act... No one will do anything to you if you freeze their [Russians in the occupied territory] IP addresses, but will only applaud, especially since you have a complete and comprehensive legal justification for this,” Pylypenko says.

This communication with RIPE NCC management and their legal services continued in various formats throughout 2023, but the organization's stance remained unchanged.

Photo via unsplash

VIOLATION OF EU SANCTIONS

In response, RIPE NCC published a report maintaining its clear official position regarding the application of EU sanctions law, despite legal interpretations from the Dutch Ministry of Foreign Affairs, and confirming its intention to continue to accept documents from the “DPR/LPR” under the pretext of ensuring “freedom of Internet access”.

“We have repeatedly explained to them how EU sanctions law applies, which clearly states: if the “L/DPR” have been sanctioned, then every entity under their control is also automatically subject to sanctions. It’s like if they sanctioned me, then my arm is also sanctioned”, the lawyer continues.

RIPE NCC even refused to include in its internal rules a ban on accepting documents issued by occupying administrations, contrary to Dutch legislation that designates such documents as having no legal force. In fact, by concluding contracts with sanctioned entities and providing them with economic resources, RIPE NCC violated the EU sanctions regime, which makes the organization's leadership legally responsible for a crime, potentially leading to penalties such as imprisonment or fines. Meanwhile, RIPE NCC denies working directly with sanctioned entities, shifting responsibility to an outsourcing company that allegedly provides services for verifying community members.

In the meanwhile, Ukraine has provided the EU with an appropriately documented database of entities in the occupied territories, after which they are one by one included on the EU sanctions lists (for example, Comtel, Phoenix and others were included in the EU sanctions lists, in particular, in the 16th, 17th and 19th sanctions packages). This means that the EU has received enough evidence of harm to the national interests, national security and sovereignty of Ukraine, and that any cooperation with such entities is not only prohibited, but also entails strict liability, including at the level of EU member states, the Netherlands among them.

“It is our understanding that they [RIPE NCC] can no longer use such an excuse today. The only way for them is to freeze the relevant IP addresses and restrict access to them for sanctioned entities. In addition, the head of an organization that violated the EU sanctions regime is held responsible for committing a crime as defined by law. In the Netherlands, this is an aggravated crime,” Pylypenko emphasizes.

Several criminal investigations into EU sanctions violations or circumvention have been initiated in the Netherlands. Over the past three years, at least 70 companies and individuals have been prosecuted in that country on charges of violating EU sanctions against Russia over its all-out invasion of Ukraine.

The Dutch Public Prosecutor’s Office has recently launched a criminal case against Damen Shipyards, one of the country’s major shipbuilders, as well as against its current CEO and two former Board members, on charges of corruption and violation of international sanctions against Russia.

Photo via freepik

CYBERSPACE AS A BATTLEFIELD

Ukraine is fighting not only for sovereignty in cyberspace, but also to deprive the aggressor of a financial resource.

“By returning our stolen IP resources, we are taking huge amounts of money away from the Russians, which they could potentially earn through the sale of these IP addresses. As a matter of fact, this is not legally prohibited. We are fighting not only for information resources, we are also fighting to ensure they do not use the money obtained in this way against us,” Fedienko emphasizes.

Experts interviewed by Ukrinform note that the RIPE NCC’s activities, combined with certain political influences and approaches to “liberalism,” may create risks for Ukraine’s national security in the context of a hybrid war.

“A am confident in our ability to make the European security sector convinced that RIPE should be taken under the hood of European regulatory and state institutions. Because now it is not accountable to anyone. That is, we, Ukrainians, can even become kind of pioneers in this domain,” the lawmaker says.

He believes that the RIPE NCC, which actually holds the “red button of control” over part of the European Internet space, should itself be taken under control.

NATO has formally recognized cyberspace as an operational domain and a battlefield since the 2016 Warsaw Summit. This decision fundamentally changed the Alliance's defense posture by integrating cyber warfare into its core tasks and affirming that a significant cyberattack could trigger a collective defense response under Article 5.

Therefore, inaction in cyberspace may easily turn into a direct threat to the entire continent.

Maryna Shashkova

More news

Topics

Agency

While citing and using any materials on the Internet, links to the website ukrinform.net not lower than the first paragraph are mandatory. In addition, citing the translated materials of foreign media outlets is possible only if there is a link to the website ukrinform.net and the website of a foreign media outlet. Materials marked as "Advertisement" or with a disclaimer reading "The material has been posted in accordance with Part 3 of Article 9 of the Law of Ukraine "On Advertising" No. 270/96-VR of July 3, 1996 and the Law of Ukraine "On the Media" No. 2849-Х of March 31, 2023 and on the basis of an agreement/invoice.

Online media entity; Media identifier - R40-01421.

© 2015-2025 Ukrinform. All rights reserved.

Extended searchHide extended search
By period:
-