Russia is rapidly isolating its internet-connected infrastructure from the outside world. In less than a half year, over two-thirds of previously discoverable services and devices have vanished behind the ‘Great Firewall.’
Today, if you scanned and counted public-facing Russian servers and other devices, the country would appear smaller than Romania or Sweden, states with 5-10 times smaller populations.
Before October 15th, 2024, Russia had around 920,000 public internet-facing devices and services. These publicly exposed IP addresses include a wide range of networked devices and services, such as routers, email servers, VPN servers, various web panels, load balancers, video systems, and other software or connected hardware.
Overnight, almost half of these devices disappeared, the ShadowServer Foundation IoT data reveals.
The number briefly spiked above two million devices before the end of 2024 and then collapsed again even further. The publicly visible Russian internet infrastructure remains close to 270,000 devices this year.
The sharp decline in all types of internet-exposed devices and services in Russia contrasts with patterns observed in other countries, where the number of devices remains relatively stable.
For comparison, almost seven million devices are publicly discoverable in the US. South Korea and Brazil have 2.1 million each, followed by Germany with 1.8 million and China with 1.2 million.
Why is Russia suddenly proactively reducing the visibility of internet-connected devices and services? At least a few factors are at play. The Cybernews Research Team suggests that Russia's trends are mainly driven by efforts to tighten control over its internet infrastructure.
What’s happening with the Russian internet?
Russia has been keeping its citizens under the Iron Curtain, restricting access to foreign internet services and banning VPN connections to bypass the restrictions for a while now.
However, it has recently been testing its ‘sovereign internet’ – a national alternative to the global internet – by disconnecting large parts of the country from the internet. Last December, multiple republics in Russia were unable to access foreign websites and services, such as YouTube and Google.
Aras Nazarovas, an information security researcher at Cybernews, suggests that these tests might be a big part of the puzzle.
“Russia is experimenting with their own internal internet infrastructure, and disconnecting various regions, particularly ones with higher amounts of minorities, from the worldwide internet,” Nazarovas said.
Russian federal censor Roskomnadzor reportedly caused several major internet outages over the past few months. Roskomnadzor confirmed it tested whether the “key replacement infrastructure” can function when deliberately disconnected from the global internet.
Cybersecurity and cyberwarfare are other considerations. Due to Western sanctions, it’s difficult for Russia to replace or update aging network equipment and other public-facing devices. Unpatched hardware is a huge cybersecurity risk, which can be alleviated by removing access to it.
“Following Russia's invasion of Ukraine, hacktivists launched numerous cyberattacks in response that continue to this day, albeit at a reduced intensity. Attacks on government and banking sectors could have prompted incoming internet traffic control changes at the backbone level, bolstering the security of these systems,” Nazarovas said.
On October 14th, 2024, one day before a massive decrease in IoT numbers, Russia’s communications systems were hit by powerful DDoS (Distributed Denial of Service) attacks of up to 1.7 terabits per second.
Later, Roskomnadzor boasted that it created a “large-scale system of the all-Russian level,” which helped to repel more than 10.5 thousand DDoS attacks. The system “provides additional protection of the resources of the Russian segment of the internet.”
“The observed decline in internet-exposed IoT devices in Russia is likely driven by cyber warfare considerations and operational security measures taken in response to the ongoing conflict,” Sonu Shankar, chief product officer at Phosphorus Cybersecurity, told Cybernews.
“While multiple factors may be influencing this trend, the most probable explanation given the known offensive cyber operations in the region is the deliberate reduction of their attack surface.”
Shankar believes that Russian state-affiliated entities and enterprises are intentionally limiting exposure to protect infrastructure from cyberattacks. Russian internet service providers may also have implemented stricter policies to prevent certain services from being exposed.
The Kremlin has invested roughly 59 billion rubles (about $648 million) into developing technical capabilities to restrict internet traffic and has devoted efforts to compelling Russians to migrate from Western social media platforms to domestic platforms that the Kremlin can more easily control, the Institute for the Study of War said in a report. Moscow may as well want to limit its infrastructure from spies.
“Just as Russian authorities control internet access within Russia, they could similarly block certain connections from outside the country, which might explain the sporadic changes in the number of tracked internet-connected devices,” Nazarovas said.
The shift in practices may be partly caused by the imposition of Western sanctions, as certain technologies and cloud-based services are no longer available in Russia.
Russia adopted the “sovereign internet” law in late 2019. Its goal was to shield the country from being cut off from foreign infrastructure and the “aggressive nature” of the United States' national cyber security strategy.
What devices are still visible?
Most of the public-facing devices (25%) in Russia are routers, followed by email servers (20%), VPN (6%), web panels, and load balancers (5% each).
For a router to be discoverable by external scanners, at least one port must be open and responding to outside queries. An open port typically indicates a running active service, such as a web server, security camera interface, remote administration portal, or other. Open ports may also signal potential misconfigurations.
More than half (55%) of the exposed routers are produced by MikroTik, a Latvian network equipment manufacturer. Keenetic is the second largest vendor (16%), followed by Huawei (11%), Asus (7%), and TP-Link (6%).
“Mikrotik has officially stated that they have left the Russian market and prohibit their third-party partners from selling equipment there. The company must comply with the EU’s export restrictions and sanctions. The dominance of MikroTik routers in the Russian market could be partly explained by weak export controls in other countries, allowing Russians to import sanctioned equipment through black market channels,” Nazarovas said.
Statistics do not reveal when the routers were produced or acquired, and some devices might not even clearly broadcast their type, model, or other data.
Shadowserver data also does not represent all of the IoT devices within Russia, only those exposed to the public.
Email servers in Russia are dominated by Exim (94%), a free mail transfer agent software.
Exposed web panels are mostly comprised of the server management tool Fastpanel (46%), the web server control panel HestiaCP (18%), the web hosting control panel software cPanel (6%), and the database administration tool phpMyAdmin (6%).
Most of the exposed VPN instances are MikroTik (72%), followed by Cisco (14%), OpenVPN (4%), and SoftEther (4%)
“Restricted access to Western technologies definitely presents new challenges for Russia, as it in some cases can no longer receive security updates for certain software, and therefore would need to develop their own patches, or trick companies into believing internet traffic is coming from elsewhere through the use of VPNs in order to receive security updates,” Nazarovas explains.
For load balancing, entities in Russia mostly use Traefik Labs (58%) and Nginx (41%).
Should the US follow?
The US now has a 26 times larger footprint on the internet compared to Russia. According to security experts, trends in Russia leave the country more secure from online threats. And this serves as an example for the US.
“These trends serve as a critical reminder for organizations in the US to prioritize the fundamental security hygiene of their connected device footprints. To mitigate risks, organizations should restrict unnecessary internet exposure, enforce strong authentication practices at the device level by ensuring default or weak passwords are changed, and eliminate device misconfigurations that could be remotely exploited by threat actors,” Shankar said.
“Additionally, keeping the firmware up to date is essential to prevent attackers from exploiting known vulnerabilities.”
Your email address will not be published. Required fields are markedmarked