Ukraine Deserves to Win. Nobel Peace Prize Laureates To Send a Powerful Message to the US Government

From July 25 to 28, 2023, a delegation of the 2022 Nobel Peace Prize laureates from Ukraine, Belarus, and Russia will hold meetings with senior US government officials, delivering a message of unwavering support for Ukraine. The visit, initiated and supported by eQualitie will take place in Washington DC in partnership with the National Endowment for Democracy and the Carnegie Endowment for International Peace.

Niklas Elmehed © Nobel Prize Outreach

During their four-day visit, the delegation, consisting of Oleksandra Matviichuk from The Centre for Civil Liberties of Ukraine, Aleksandr Cherkasov from the Memorial Human Rights Center of Russia, and Kanstantsin Staradubets of Vyasna Human Rights Center also representing the imprisoned laureate Ales Bialiatski of Belarus, will engage with representatives from the State Department, the Commission on Security and Cooperation in Europe, the US Committee on Foreign Relations and the White House, as well as with various legal experts and influential think tanks.

The 2022 Nobel Peace Prize laureates, have issued statements advocating for greater US involvement in support of a Ukrainian victory and recommendations for rebuilding the international system of peace and security. Oleksandra Matviichuk of the Center for Civil Liberties highlights Russia’s longstanding utilization of warfare as a means to achieve its geopolitical objectives, employing war crimes as a strategy for securing victory. This pattern is evident in numerous states, including Chechnya, Georgia, Moldova, Mali, and Syria. Remarkably, Russia has managed to evade accountability for its actions throughout these conflicts. According to Matviichuk, breaking the circle of impunity is essential to hold Vladimir Putin, Russian top leadership, and military leaders accountable.

We must switch from the narrative of “let’s help Ukraine not to fail” to “let’s help Ukraine win” and we should do it quickly. There is a huge difference between those, in terms of sanctions and weapons – Oleksandra Matviichuk

Aleksandr Cherkasov of Memorial urges that investigating and penalizing past atrocities is vital for achieving justice for present-day war criminals. Neglecting this crucial step undermines our efforts, impeding the attainment of substantial and meaningful outcomes.

Crimes witnessed during the ongoing full-scale war in Ukraine can be traced back to a culmination of events over the past three decades, characterized by a relentless cycle of wars, crimes, and a lack of accountability – Aleksandr Cherkasov

Kanstantsin Staradubets highlights that victory for Ukraine will not only bring freedom to Belarus but also symbolize the triumph of civil society in a country currently under Russian occupation.

It is impossible to preserve global peace and the independence of Belarus without stopping Russian aggressive imperialism. This requires the victory of Ukraine – Kanstantsin Staradubets 

We invite those of you in DCJoin us on Wednesday, July 26, as the Carnegie Endowment for International Peace hosts a public event: “A Conversation with the 2022 Nobel Peace Prize Winners from Ukraine, Belarus, and Russia.” Don’t miss this opportunity to attend. Register now using the provided link.


Oleksandra Matviichuk, is the head of the Center for Civil Liberties, a Ukrainian human rights organisation established in 2007 with its mission to promote democracy in Ukraine. Since 2014, the organisation has been actively documenting Russia’s atrocities against Ukrainian civilians, shining a light on the crimes committed during that period. (photo: Right Livelihood Award)



Aleksandr Cherkasov serves as the chair of Memorial, a Russian human rights centre established in 1987. Memorial’s primary objectives are to gather information about victims of the Soviet regime and to document human rights abuses in present-day Russia. Unfortunately, in 2021, the organisation faced a ban within Russia, further highlighting the challenging environment for human rights defenders in the country.


Kanstantsin Staradubets, a Belarusian human rights activist, serves as the representative for Ales Bialiatski, who is currently imprisoned under the Lukashenko regime. Bialiatski has been a steadfast figure in the Belarusian pro-democracy and human rights movement since the late 1980s. In 1997, he founded the Viasna Human Rights Center, solidifying his dedication to advocating for human rights in Belarus.


For media inquiries, please, write

The upcoming visit of the Nobel Peace Prize laureates to the United States in July 2023 is being organised by eQualitie, a Canadian human rights and technology organisation that actively supports Ukraine in maintaining digital connectivity in times of war.


Read More

How decentralization saved the Ukrainian internet: lessons from 2022, government officials and telecom industry reflect in Kyiv

The Ukrainian telecoms market incurred $2.3B in losses during the initial year of the invasion, per the World Bank. Key stakeholders, including industry leaders, government officials, and international partners, gathered in Kyiv for the “Ukraine: Communications and Internet Resilience during War” conference on May 26, 2023. Organized by eQualitie and Internews Ukraine, the event focused on the ongoing infrastructure restoration efforts.

The resilience of Ukrainian communications and the Internet in the early months of Russia’s aggression against Ukraine can be attributed to several key factors, with one notable distinction being the establishment of a robust public-private partnership in response to the crisis. These partnerships ensured that government decisions concerning communications stability were swiftly made in the initial weeks of the full-scale invasion.

The Ukrainian government made several notable decisions during the crisis that had a significant impact on the operations of the telecommunications industry:

  • Abolishing fees for providers and operators to access electric power infrastructure, saving UAH 800 million.
  • Providing free frequencies to enhance network capacity for mobile operators.
  • Implementing network quality testing measures.
  • Postponing the expiration of telecommunications company licenses.
  • Facilitating collaboration between the government and the private sector for equipment delivery.
  • Approving passage through checkpoints during curfew for telecoms employees to conduct network repairs.

Decentralization saved the Ukrainian Internet, thanks to effective cooperation and timely decision-making by stakeholders. The united front of the state, critical infrastructure, and business became the decisive factor in the country’s struggle, as emphasized by Volodymyr Zverev of the National Security and Defense Council of Ukraine.

Communications in temporarily occupied and de-occupied territories

In response to the full-scale Russian invasion, most Ukrainian TV channels in the temporarily occupied territories have decoded their signal. According to Oleh Chernysh of the National Council of Ukraine on Television and Radio Broadcasting, 283 licensees remain in these territories, and about 47 satellite broadcasters have temporarily stopped broadcasting.

The Russian Internet has invaded occupied territories, and all mobile and Internet communications are channelled through the Russian Federation. Dmitri Vitaliev of eQualitie, presented the tools that will help to restore communications with these territories:

  • dComms is an alternative platform for online communication if access to the Internet is limited.
  • Ceno is the world’s first mobile browser that used decentralization to bypass modern Internet censorship methods.
  • Ouinet is a set of software tools that provide access to web resources in unreliable Internet conditions or where the Internet is unavailable.
  • Deflect is a robust and innovative website protection service designed to withstand distributed denial of service (DDoS) attacks. Deflect offers secure hosting, encrypted connections, and advanced mitigation options.

In the recently de-occupied territories, over 1,700 base stations have been restored, reconnecting residents of 500 settlements, with 91% of mobile networks operational, confirmed Stanislav Prybytko from the Ministry of Digital Transformation. The Ukrainian Parliament passed Law No. 2078-IX, simplifying and expediting the construction of mobile towers.

The needs of the telecommunications industry. Dialogue on international aid for Ukraine

According to Maksym Smilianets from Winner Telecom ISP, the telecommunications industry in the occupied territories faces significant challenges, including equipment theft, blackouts, disconnection of users from Ukrainian providers, and forced connection to Russian providers. Smilianets also highlighted the significant daily expenditure of UAH 350,000 in the Kherson Region solely for restoring damaged systems and equipment.

Yuriy Matsyk from the Ministry of Digital Transformation highlighted the continuous need for funds to restore territories. Despite the reduced population in partially destroyed settlements, the Ministry aims to ensure fully functional internet and communication services. They plan to launch the “Universal Internet Service” project in de-occupied territories. This initiative will assist citizens who cannot afford communication services by providing state funds for payment. Users will have the freedom to choose their preferred provider and pay for their services accordingly.

Maryna Pryhornytska from the Telecommunications Chamber of Ukraine outlined key mechanisms to aid the industry’s recovery, including:

  • Legislative Assistance: Developing methodologies to determine losses and procedures for cost compensation, providing a legal framework to support the industry’s restoration efforts.
  • Administrative Assistance: Prioritizing the restoration of power supply, demining facilities with telecommunications infrastructure, granting special passes to telecom employees for emergency repair work, and reserving management and key personnel during mobilization.
  • Financial Assistance: Offering equipment and cable products free of charge through funds and contributions, providing Starlink terminals in de-occupied territories, and facilitating access to interest-free loans for swift communication restoration in liberated regions and active combat zones.

Conference speakers also highlighted Canada as a pivotal international partner in strengthening Ukraine’s defense against cyber threats. During Ukraine’s blackouts, Canada stepped in to support by helping procure batteries to ensure the continuity of optical networks.

The conference was organized within the framework of the “Digital Emergency Support of Civil Society in Ukraine” project, with support from Global Affairs Canada, implemented by eQualitie.

Read More

Donate to Keep Ukrainians online


Since October 2022, Russia has been targeting critical civilian infrastructure in Ukraine with its missiles and drones. Attacks have degraded electricity generation and distribution, cutting off power and thereby heating, water treatment and Internet connectivity for millions of people. Rolling electricity blackouts lasting anywhere from several hours to days are making this brutal conflict even harsher. Even if the war was to stop tomorrow, damage to electricity power plants and distribution networks will persist. One of the ways eQualitie is responding to this crises is by supplying small Internet service providers (ISP) with batteries to help them power their local (fibre optic) networks during electricity outages. We have already delivered a 7 tonne shipment in December.

The donated batteries have been in use since December 2022. Chernihiv, the regional center located in northern Ukraine, was almost surrendered by the Russian military since the first days of aggression. City infrastructure has been heavily destroyed due to constant bombardments. Even during the combat in Feb-March ISP Osnova had provided internet and cable TV services to more than 50 thousand households in Chernihiv. Dmytro Samsonenko, the director of ISP Osnova, shares his feedback on the usage of donated batteries during outages:

Our SBL batteries are connected to the EASUN ISOLAR-SMG-II-3.6KW-WIFI inverter, the system capacity is approximately 3 kWh (135 Ah at 24 V).
The system is installed at the district-level node, which provides television and internet connection for 185 residential buildings in Chernihiv. The capacity of the batteries is enough for 16 hours of continuous operation of the equipment in the event of an outage of the node.



Please make a donation today to support this procurement. Our goal is to collect $25 000, which will help to buy 150-170 individual batteries to serve the needs of around 30 ISPs. All contribution matters! More than 1500 ISPs work in Ukraine, this market is diverse and the smallest ISPs provide services to a few residential buildings. Thus, the need for batteries remains high.

100% of your donation will go towards the batteries’ purchase. We have an established logistics pipeline with DACPOL and customs importing and road freight assistance from DEPS. In Ukraine, the Ministry of Digital Transformation works with local ISPs on delivery, verification and reporting.


Donate now!

Please, fill in the form needed for donation


We also accept donations in BTC: bc1qre02fd4w6nvl7eq44456z03h25fvnuzjms28p9



eQualitie Org is a Canadian registered non profit corporation (1191545-2) with business number 745963470RC0001



Read More

A year in review: eQualitie’s reactions to the war in Ukraine

Team members meeting in Lviv, September 2022

Since the beginning of the second invasion in February 2022, eQualitie has launched a series of rapid efforts focusing on digital security capacity building and urgent response to various communication and safety needs of Ukrainian citizens, media agencies, human rights organizations, and CSOs. A lot of the focus of our existing programming on web security and censorship circumvention was extended to the realities and needs of Ukrainian websites and people finding themselves in temporarily occupied territories (and part of the Russian Internet). Herein a brief summary of the work done in 2022 to help defend Ukrainians during this illegal invasion.


The Digital Security Helpline was conceived in late spring and launched in partnership with Internews Ukraine in November. It is the first national digital security helpline in Ukraine (and possibly the world) tasked with responding to any and all questions from the public relating to cyber security. The rational behind the helpline was to offer immediate and easy to understand solutions for the many problems and questions people have in relation to their device and communications safety. By and large most of them cannot afford the time and mental space to reading long manuals and attending webinars in order to understand the whole security landscape. They just need answers and in a war-time setting these answers often have a direct impact on their personal well-being and safety. We assembled and trained a dedicated team of helpline support staff and digital experts, stood up systems to document and respond to incoming requests and compiled a growing database of security FAQs on the Nadiyno website. launch event, with Internews, eQualitie and Ministry of Digital Transformation. November 2022

We have also conducted eight digital security webinars reaching 1027 participants, including 202 civil servants from the Cabinet of Ministers of Ukraine (the central body of the Ukrainian Government). Civil servants participated in two tailored webinars by eQualitie on the basics of digital security and the identification of phishing attacks, one of the major cyber threats against individuals in Ukraine.


In the first weeks of the conflict, eQualitie launched a decentralized communications network in Ukraine to support local area emergency communications in the case of Internet shutdowns caused by military activity. A federated network of 10 servers was set up in 9 Ukrainian cities: Kyiv, Kharkiv, Odesa, Rivne, Lviv, Kherson, Mykolaiv, Poltava, and Khmelnytskyi enabling secure chat for Ukrainian users using the Matrix/Element platform and micro-blogging on the Mastodon social network. eQualitie published several easy-to-follow guides on using these new services in Ukrainian and introduced content moderation and network administration capacity to ensure smooth operations in a very difficult climate.

As of December 2022, more than 1100 users are running their own instances of Mastodon on this platform to communicate with each other and millions of other users from hundreds of federated instances worldwide. The Kyiv instance is already the second biggest Mastodon platform in Ukraine. Hundreds of rooms and thousands of users are communicating on the Matrix network everyday.


eQualitie protects over a hundred Ukrainian media and CSO websites from DDoS attacks on the Deflect network. Since the beginning of the conflict, an additional 60 Ukrainian websites have been onboarded, bringing a daily audience of over half a million people Ukraine. Deflect protects the websites of key Ukrainian human rights organizations, including the 2022 Nobel prize laureate – the Center for Civil Liberties.

The eQualitie team mitigates DDoS attacks against Ukrainian websites on a daily basis. Ukrainian newsrooms which provide quality reports on the Russia-initiated war against Ukraine become frequent targets of DDoS. One of the regional newsrooms from Zhytomyr, onboarded to Deflect in Aug 2022, has witnessed over twenty significant attacks since then. In just three days between October 27-30, attackers generated 33,3 million malicious hits against the website, albeit to no effect.



The project from eQualitie helps users in temporarily occupied territories to circumvent Internet censorship – part and parcel of Russia’s occupation is that local networks have been re-routed to join the Runet – where website blocking and traffic surveillance is rife. Using the CENO browser, which works using BitTorrent protocols, users can circumvent local network filtering and share contents of retrieved web pages with each other. More than 20 thousand Ukrainian users installed CENO on their Android devices via Google Play market.


SBL 135-12HR batterry – part of our ISP Small Grants Program

In December, eQualitie, in partnership with the Ministry of Digital Transformation of Ukraine, DEP, and the Association of “Right Owners and Providers of Content”, supplied 29 Ukrainian ISPs with 172 SBL 135-12HR batteries to power the providers’ fibre optic network during power outages. This batch with a total capacity of 20,640 Amps or 247 kWh as a cargo weighing 6,600 kg was delivered to Ukraine and distributed among local ISPs based on the need assessment, conducted by the Ministry and eQualitie. More information in our previous post.


These actions are but a small drop in the ocean of foreign support offered and still needed to sustain the Ukrainian people through the arduous and violent conflict inflicted upon them. A lot more work remains to be done in 2023 and we aim to continue the pace and breadth our interventions. This project is realized with support from Global Affairs Canada and the Canadian tax payers.

You can download a presentation of our Ukrainian focused projects here or check out the video presentation given at the International Cyber-security Forum (FIC) 2022 in Montreal.

Read More

Keeping Ukrainians online during electricity outages

Montreal, Canada
December 26, 2022
Press release

Canadian support from eQualitie allows hundreds of thousands of Internet users in Ukraine to stay connected

Canadian Technology Organization eQualitie, in partnership with the Ministry of Digital Transformation of Ukraine, DEPS UA, and the Association of “Right Owners and Providers of Content”, supplied 29 Ukrainian ISPs with 172 SBL 135-12HR batteries to power the providers’ fiber optic network during power outages.

A cargo weighing 6,600 kg as humanitarian aid arrived in Ukraine from Poland, where eQualitie purchased a series of  batteries donated for Ukrainian ISPs. Each battery weighing 38 kg will be installed on the fibre optic and distribution networks of local Internet providers, allowing them to power their networks for an additional 10-12 hours through the electricity outages. This batch of donations has a total capacity of 20,640 Amps or 247 kWh. – helping more Ukrainians access the Internet without interruption. 

Distribution of batteries is based on a needs assessment conducted by eQualitie together with the Ministry of Digital Transformation of Ukraine. The stated needs were to bring batteries for regions most affected by Russian aggression – Chernihiv, Kyiv, Kharkiv, Donetsk, Zhytomyr, Sumy, etc.

This support became possible due to the efforts and commitments of the Canadian government, taking place within the framework of the project “Digital Emergency Support of Civil Society in Ukraine”, implemented by eQualitie together with the NGO “Internews Ukraine”. Internet Service Providers are among the project’s key recipients, – supporting their efforts in providing Internet and communication services to the public.

Whilst the Ukrainian Internet has shown great resilience during this conflict, it is essentially another civic utility reliant on electricity. Internet access has provided a communications and an information lifeline for so many over the last eleven months. In the conditions of constant Russian shelling of the critical infrastructure of Ukraine, and as a result – power outages, the work of providers becomes even more difficult. We note the significant efforts of Ukrainian providers to restore the infrastructure damaged during the war in order and hope that our small contribution will allow hundreds of thousands of people get reliable access to the Internet” notes Dmitri Vitaliev, eQualitie’s director.

With the first shipment of batteries, eQualitie joins the international campaign “Keep Ukraine Connected” by NOG Alliance as an initiative of international assistance with equipment for Ukrainian ISPs. In January, eQualitie plans to purchase and bring additional batteries to Ukraine.

Beyond the supply of batteries, in Ukraine eQualitie protects the websites of Ukrainian media and CSOs from DDoS attacks by means of its own infrastructure called Also, the organization helps users in the temporarily occupied territories access a free Internet, with the CENO browser software, an Android application that helps them evade Russian censorship. At the very beginning of the conflict, eQualitie launched a decentralized communications project in Ukraine with 10 regional locations for Ukrainian users to chat using the secure Matrix system and communicate on the Mastodon social network.

For media inquiries, please, contact Vitalii Moroz at 

eQualitie creates decentralized internet services in support of a more equal and equitable network. Our solutions are open source, battle proven and developed in mind of our principles. Everyday, they enable freedom of association for millions of people online.

Read More

Launching the Ukrainian digital security helpline – Nadiyno

On 8th of November 2022, eQualitie and Internews Ukraine are launching – the first national digital security helpline in Ukraine, for responding to any and all questions from the public relating to cyber security. We have assembled and trained a dedicated team of helpline support staff and digital experts, stood up systems to document and respond to incoming requests and compiled a growing database of security FAQs on the Nadiyno website. Requests are accepted and replied to using email, web chat, WhatsApp, Signal, Telegram, and on a Matrix channel.

During wartime, people are under incredible psychological and physical stress. Secure and unimpeded use of digital technology and services, in particular communications, are an essential public need and frequently a lifeline to those in distress. With support from Global Affairs Canada we are launching the Nadiyno helpline for all Ukrainians’ digital security questions. – Dmitri Vitaliev, director of eQualitie.


Please see the announcement from Internews Ukraine for more information on the public launch event in Kyiv. If you would like to aid or contribute to the effort, please contact Kateryna – ktsybenko(at)

Read More

eQualitie launches CENO, world’s first decentralized p2p mobile browser

Share the web, peer-to-peer. CENO.

CENO Browser lets anyone access and share information in areas with censored communications

Montreal, May 10, 2022 – eQualitie, developer of open-source and reusable digital security systems, is pleased to announce the public launch of its newest democratization tool, CENO Browser. Short for, CENO is the world’s first mobile browser that is built specifically to side-step current Internet censorship methods. It also enables people to access and share information in and across regions where connectivity has been interrupted or compromised.

CENO uses established technologies in new ways. While the user experience is akin to using a standard mobile browser, CENO operates over a peer-to-peer (p2p) network on the open-source Ouinet library and BitTorrent protocols, allowing it to run reliably where other browsers might not or do not. Because the web content is delivered, cached and decentralized via p2p routing, it cannot be forcibly removed by external agents. Furthermore, CENO is equipped to access and share cached content offline and via local area networks (LANs). CENO’s resiliency makes it ideal for those who need stable access to and sharing capabilities of web information during media censorship events, filtering, attacks, shutdowns, natural disruptions, unrest, conflict and war. CENO’s routing and distribution can also significantly reduce bandwidth consumption and associated costs.

“CENO holds great promise and launches at an opportune time for those engaged in democracy movements and activities,” says Dmitri Vitaliev, founder and director of eQualitie. “It is already helping thousands of civilians, NGOs, investigative journalists and independent media internationally to share information on their mobile devices.”

View the press release in full

Download CENO Browser from the Playstore

The project on Github


Read More

eQualitie’s position on the war in Ukraine

український / русский / english / français /

Oh bury me, then rise ye up
And break your heavy chains
And water with the tyrants’ blood
The freedom you have gained.
And in the great new family,
The family of the free,
With softly spoken, kindly word
Remember also me.

Testament, Taras Shevchenko, 1845
(translated by John Weir)

For ten years eQualitie has stood firmly in defence of digital human rights. Throughout this time, we strive to create technology and offer services that protect freedom of expression and association online. To help us stay balanced in achieving this mission we have purposely stayed out of politics, debates or public declarations.

But, as the Russian army is invading and destroying Ukrainian cities, killing innocent civilians and hiding the truth from its own population – we choose to stand with Ukrainians who are defending their homes and families. We mourn the lives already lost and the destruction of Ukrainian cities and its cultural heritage. We also choose to stand with Russian anti-war protesters , arrested in their thousands for trying to stop the annihilation of morality in their country. This is an international struggle for human dignity, freedom and the right to life.

To this effect, we have launched technical and capacity building efforts focused on supporting Ukrainian civil society and territorial defences, as well as supporting activities in Russia that preserve online communities and those challenging the war efforts. Some of this work has already begun:

Why now? Simply because maintaining our neutrality will not sufficiently address the injustice and undue suffering caused by the Russian government and army on the people of Ukraine.

We believe that Ukraine will win, their people will rise from the ashes of this conflict, stronger in spirit and solidarity. And we will make every effort to help them in this struggle!


Read More

Deflect Labs Report #1

Botnet attack analysis covering reporting period February 1 – 29 2016
Deflect protected website –

This report covers attacks against the Kotsubynske independent media news site in Ukraine, in particular during the first two weeks of February 2016. It details the various methods used to bring down the website via distributed denial of service attacks. The attacks were not successful.

General Info

Kotsubynske is a media website online since 2010 created by local journalists and civil society in response to the appropriation and sale of public land (Bylichaniski forest) by local authorities. The website publishes local news, political analysis and exposes corruption scandals in the region. The site registered for Deflect protection during an ongoing series of DDoS attacks late in 2015. The website is entirely in Ukrainian. The website receives on average 80-120 thousands daily hits, primarily from Ukraine, the Netherlands and the United States.



Attack Profile

Beginning on the 1st of February, Deflect notices a rise in hits against this website originating primarily from Vietnamese IPs. This may be a probing attack and it does not succeed. On the 6th of February, over 1,300,000 hits are recorded against this website in a single day. Our botnet defence system bans several botnets, the largest of which comprises just over 500 unique participants (bots).

Using the ‘Timelion’ tool to detect time series based anomalies on the network, such as those caused by DDoS attacks, we notice a significant deviation from the average pattern of visitors to the Kotsubynske website (on the diagram below, hits count on the website are in red, while the blue represents a 7-day moving average plus 3 times standard deviation, yellow rectangles mark the anomalies). The fact that the deviation from the normal is produced over a week (Feb 1 to Feb 8) points to the attack continuing over several incidents. This report attempts to figure out whether these separate attacks are related and display attack characteristics and makes assumptions about its purpose and origin.


Illustration 1: Timelion graph showing a prolonged attack

Illustration 1: Timelion graph showing a prolonged attack period between February 1 and 8

February 06, 2016 Attack profile

This incident lasted 1h 11min and was the most intensive attack during this period, in terms of hits per minute.

Incident statistics
Here are listed part of the incident statistics that we get from the deflect-labs system. They show the intensity of the attack, the type of the attack (GET/POST/Wordpress/other), targeted URLs, as well a number of GEOIP and IP information related to the attacker(s):

  • client_request host:””
  • Hits between 24000 and 72000 per minute
  • Total hits for the attack period: 1643581
  • Attack Start: 2016-02-06 13:34:00
  • Attack Stop: 2016-02-06 14:45:00
  • Type of attack: GET attack (bots requested page from website)
  • Targeted URL:
  • Primary botnet request: “”
Illustration 2: Geographic distribution of bots

Illustration 2: Geographic distribution of bots

The majority of hits on this website came from Vietnam, Ukraine, India, Rep of Korea, Brazil, Pakistan. Herewith are the stats for the top five countries starting with the most counts and descending:

geoip.country_name Count
Vietnam 817,602
Ukraine 216,216
India 121,405
Romania 70,697
Pakistan 61,201


Cross-incident analysis

We’ve researched three months of incidents on the Kotsubynske website, namely from January to March 2016. We have detected five incidents between February 01 – 08 and present a detailed analysis of botnet characteristics and the similarities between each incident. The point is to figure out if the incidents are related. This may help us define whether the actors behind this attack were common between all incidents. For example, we see relatively few IPs appearing in more than one incident, while each incident shares a similar botnet size and attack pattern.


Illustration 3: GeoIP location of bots over the 5 incidents

Illustration 3: GeoIP location of bots over the five recorded incidents


Table 1. Identical IPs across all the incidents

We identify, in sequence of incidents, botnets IPs which re-appeared from a previous attack.

ID Incident start Incident end Duration botnet IPs Recurring botnet IPs Attack type Attack pattern (URL request)
1 2016-02-02 12:0700 2016-02-02 12:21:00 14 min 224 GET 163224 hits: /-
2 2016-03-02 08:27:00 2016-03-02 08:31:00 4 min 120 22 GET 35991 hits: /-
3 2016-05-02 21:10:00 2016-05-02 22:00:00 50 min 99 0 GET 49197 hits : /-
23 hits: /wp-admin/admin-ajax.php
4 2016-06-02 13:34:00 2016-06-02 14:45:00 1h 11 min 484 0 GET 1557318 hits: /-
5 2016-08-02 12:20:00 2016-08-02 16:40:00 4 h 20 min 361 0 GET 392658 hits: /-


Table 2. Pairs of incidents with significant numbers of identical IPs banned by Deflect

Here we correlate each incident against all other incidents to see whether any common botnet IPs reappear and present the incident pairs where there is a match

incident id banned IPs incident id banned IPs recurring IPs % of recurring botnet IPs
in the smaller incident
1 224 2 120 22 18.3%
3 99 4 484 15 15.2%

Analysis of the five attacks shows thats very few botnet IPs were reused in subsequent attacks. The presence of any recurring IPs however suggests that they either belong to a subnet of the same botnet or are victims whose computers have been infected by more than one botnet malware. Furthermore, each botnet’s geoIP characteristics and behaviour is almost identical. For example, whilst traffic during this period followed the normal trend, both in terms of number of visitors and their geographic distribution, banned IPs were primarily from Vietnam, India, Pakistan and other countries that do not normally access

This is a reliable indicator of malicious traffic and a transnational botnet.

  • 71.1% of banned IPs come from Vietnam, India, Iran, Pakistan, Indonesia,Saudi Arabia, Philippines, Mexico, Turkey, South Korea.
  • 99.9% of banned IPs have identical user agent string: “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)”.
  • The average hit rate of IPs with the exact identical user agent string is significantly higher: 61.9 hits/minute vs 4.5 hits/minute for all other traffic.
Illustration 4: Banned machines from 'unusual' countries

Illustration 4: Banned machines from ‘unusual’ countries for

The user agent (UA) string seems to be identical in all five incidents, when comparing banned and legitimate traffic. In the diagram below, Orange represents the identical user agent string, whilst blue represents IPs with other user agent strings. The coloured boxes contain 50% of IPs in the middle of each set and the lines inside the boxes indicates the medians. The markers above and below the boxes indicate the position of the last IP inside 1.5 height of the box (or inside 1.5 inter quartile range).

Illustration 5: Hit rate distribution for the IPs with the same identical user agent string

Illustration 5: Hit rate distribution for the IPs with the same identical user agent string: “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)”

Even though there are not many identical botnet IPs across all of the 5 incidents, the behaviour of botnet IPs from different incidents is very similar. The figure below illustrates some characteristics of the botnet (different colours) in comparing with regular traffic (blue colour).

Scatter plot of sessions in 3-dimensional space:

  • Request interval variance
  • Error rate
  • HTML to image ratio


Report Conclusion

On the 2nd of February, the Kotsubynske website published an article from a meeting of the regional administrative council where it stated that members of the political party ‘New Faces’ were interfering with and trying to sabotage the council’s work on stopping deforestation. The party is headed by the mayor of the nearby town Irpin. Attacks against the website begin thereafter.

Considering the scale of attacks often witnessed on the Deflect network, this was neither strong nor sophisticated. Our assumption is that the botnet controller was simply cycling through the various bots (IPs) available to them so as to avoid our detection and banning mechanisms. The identical user agent and attack pattern used throughout the five attacks is an indication to us that a single entity was orchestrating them.

This is the first report of the Deflect Labs initiative. Our aim is to strip away the impunity currently enjoyed by botnet operators the world over and to aid advocacy efforts of our clients. In the near future we will begin profiling and correlating present-day attacks with our three year back log and with the efforts of similarly minded DDoS mitigation efforts.

Read More

Training in the Ukraine undertook two missions during the last month to work with independent media workers and aspiring digital security trainers from across the Ukraine. Over one hundred news media workers were trained in secure communications and a very capable group of future trainers were taken through the advanced training so that this valuable knowledge can continue to spread. We are grateful to the organisers for bringing us on board and to all the participants for their attendance. If your organisation is interested in digital security training, please get in contact with us at the address below

Read More