Threat Monitoring Newly Created Ukraine-Related Domain Names
Blog Company Updates Federal Government

Threat Monitoring Newly Created Ukraine-Related Domain Names

As the conflict in Ukraine continues, we at DomainTools have noticed an increase in the number of Ukraine-related domain registrations in the last week. For example, the term “ukraine” showed a sudden jump in the number of domains that included that word starting just as the conflict began.

135 Ukraine domains

As covered in our @SecuritySnacks Twitter account, we have also seen an increase in domains related to Ukraine soliciting donations (often for unnamed recipients), including some domains that are outright forgeries of existing charities, as bad actors look to capitalize on this global event.

In order to help organizations monitor these threats, DomainTools is releasing a new, free feed of newly observed or registered Ukraine-related domain names. This feed will be updated daily, and will contain domains observed either through the DomainTools domain name discovery process or Farsight’s passive DNS data feeds which match on a limited number of Ukraine-related terms. The specific terms we are filtering on are:

  • ‘ukraine’
  • ‘ukrainian’

We may add other terms to this list in the future. If we do, we will announce those publicly. The README file available on the feed website will also contain the full list of terms we used to generate the lists.

Caveats

This feed will be released for a limited period of time. It is important for users of these lists to note that we are doing no analysis to determine if these domains are malicious or benign, and no risk scores are being provided — we are just providing a list of domains.

While we are excited to share this data with the community, this information is provided for free with no warranties or guarantees. Use at your own risk. You may reuse it as you like with attribution back to DomainTools (released under a CC-BY license https://creativecommons.org/licenses/by/4.0/ ).

How to Access the Feed

The feed will be available for download directly from DomainTools at https://ukraine-domains.domaintools.com/.  This location will contain multiple files: one text file per day, with one domain name listed per line in each file. Domain names in the files will not be defanged. We will keep adding a new file each day with the old files remaining in place.