Skip to the content.

DIVD-2022-00014 - GreyNoise's Ukraine only list

Our reference DIVD-2022-00014
Case lead Frank Breedijk
Researcher(s)
Recommendation We explicitly leave it up to the network administrators to decide what to do with the observed facts
Status Open
Last modified 20 Jun 2022 07:35

Summary

GreyNoise has published a “free, public, unauthenticated, self-updating feed of all IPs that are exclusively targeting devices geographically located in Ukraine’s IP space with scans, exploits, etc.” We first became aware of it via a tweet from GreyNoise founder Andrew Morris. We feel that in these times, network administrators should be aware of these IP addresses even if they are unaware of the services of GreyNoise.

We are using the list of “unspoofed” IPs (IP addresses that have completed a full three-way handshake) located on GreyNoise Pulse. If you want to check other lists, feel free to inspect the manifest of the full API.

What you can do

We are sending out these emails for awareness only. We want you to be aware that you have one or more nodes in your network displaying this behavior. How you act on this information is entirely up to you. We cannot determine if this behavior is expected, unexpected, logical, illogical, wanted, or unwanted by you.

What we are doing

On a regular basis, we will retrieve the list from GreyNoise and send notifications to network administrators. We will only send out notifications for systems last seen on or after 1 March 2022 and only to system owners; we have not received a notification before.

Timeline

Date Description
24 Feb 2022 GreyNoise anounces their plans to publish a “free, public, unauthenticated, self-updating feed of all IPs that are exclusively targeting devices geographically located in Ukraine’s IP space with scans, exploits, etc.”
04 Mar 2022 Case opened
05 Mar 2022 First notifications sent
gantt title DIVD-2022-00014 - GreyNoise's Ukraine only list dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00014 - GreyNoise's Ukraine only list (still open) :2022-03-04, 2022-07-01 section Events GreyNoise anounces their plans to publish a “free, public, unauthenticated, self-updating feed of all IPs that are exclusively targeting devices geographically located in Ukraine’s IP space with scans, exploits, etc.” : milestone, 2022-02-24, 0d Case opened : milestone, 2022-03-04, 0d First notifications sent : milestone, 2022-03-05, 0d

More information