Greynoise's Ukraine Only list

Report DIVD-2022-00014 - Greynoise's Ukraine Only list

Written on 16 Dec 2022 by Gerard Janssen

Case lead: Frank Breedijk
Case file: DIVD-2022-00014

On February 24, 2022, Andrew Morris – founder of cyber security company GreyNoise Intelligence – tweeted about a “free, public, unauthenticated, self-updating feed of all IPs that are exclusively targeting devices geographically located in Ukraine’s IP space with scans, exploits, etc.”

GreyNoise Intelligence is based in Washington DC and analyzes ‘Internet background noise’, in this case, IP addresses targeting ‘honey pots’ based in Ukraine. The DIVD examined the list with IP addresses and found that some of the IP addresses were compromised NAS servers, routers, and AWS instances.

Two waves of activity

Overall the DIVD sent 5698 notifications to owners of the IP addresses that appeared on the list.

GreyNoise stopped updating the API after 1 Aug 2022 and the DIVD closed this case on August 15, 2022.

This case was unusual Therefore DIVD’s ethical commission evaluated the case on October 5, 2022. TIt ruled that this case falls outside the current Code of Conduct (CoC) version because the attacker is more than likely one threat actor. The DIVD has taken the position not to cooperate (offensively) in global conflicts in which the Netherlands is not directly involved.


Date Description
24 Feb 2022 GreyNoise announces their plans to publish a feed of IP’s that target devices geographically located in Ukraine
04 Mar 2022 Case opened
05 Mar 2022 First notifications sent
31 Jul 2022 Last update to Greynoise Ukraine only list
15 Aug 2022 Case closed
05 Oct 2022 Verdict ethical commission