As Russians protested ‘Internet isolation’ last weekend, hackers launched DNS attacks against Yandex, exploiting flaws in the government’s censorship system

Several major Russian Internet companies, including Yandex and the news outlet RBC, suffered massive network attacks this week that were made possible by vulnerabilities in the system the federal government uses to block websites. Sources told RBC that the perpetrators carried out DNS attacks, hijacking domain name system servers and domain registrars to direct traffic away from legal websites, like Yandex, to IP addresses that have been blacklisted by Roskomnadzor, Russia’s state censor.

During the attacks, several small Internet service providers blocked access to a few of Yandex’s IP addresses, sources told RBC. Major ISPs utilized more sophisticated censorship methods, filtering the traffic to Yandex’s servers using deep packet inspection, which caused the website to load more slowly than normal.

Yandex told Meduza that it doesn’t consider the DNS hijacking to constitute a cyberattack. “This isn’t an attack, but an exploitation of existing flaws in the mechanism for administering the block list,” spokespeople said, pointing out that any website could fall victim to these defects in Roskomnadzor’s procedures.

The start of the DNS attacks on Yandex and other companies coincided with a protest in Moscow on March 10 against Russia’s “Internet isolation.” Sources told RBC that the attacks against Yandex's IP addresses continued for several more days. Yandex, meanwhile, says it sees “no correlation between any events.” Kirill Titov, RBC’s business-to-consumer desk digital director, confirms that the company was hit with a DNS attack on March 11. Like Yandex’s spokespeople, Titov links the incident to vulnerabilities in Roskomnadzor’s block-list system.

The first “holes” in Roskomnadzor’s system were exploited in June 2017, when hackers used vulnerabilities to block access to popular websites for several days, including Wikipedia, Meduza, and major banks. Market insiders say Roskomnadzor still hasn't resolved this problem. Currently, lists of domain names that have been added to the agency’s Internet block-list are sold on the Darknet, where hackers can acquire the information to carry out DNS attacks, Alexander Lyamin, the head of DDoS mitigation service provider “Qrator Labs” told RBC. Spokespeople for the cybersecurity firm “Group-IB” confirm that demand has been high for these banned-domain lists since 2017.

To guard websites not on its block list against accidental access disruptions, Roskomnadzor started prohibiting ISPs from computing IP addresses independently, after the first DNS attacks in 2017. The agency has also advised service providers to adopt deep-packet-inspection filtration, or block only the IP addresses provided directly by Roskomnadzor. Officials have also developed “whitelists,” identifying websites that should not be blocked. Activists from “Roskomsvoboda” say Russia’s federal censor has extended this special protection to more than 2,000 government websites, as well as several popular private resources, including Yandex, Facebook, VKontakte, Google, Instagram, and Twitter.

Yandex supports the introduction of whitelists, but argues that the measure doesn’t go far enough. “All ISPs must be required to use ‘whitelists’ when compiling their block lists,” a company spokesperson said.