Cloudflare not fully backing out of Russia, company says, as tech firms are forced to weigh in

Ukraine's effort to force tech firms out of Russia is turning up mixed results so far.
Ukrainian police officers patrol a street following a shelling in Ukraine's second-biggest city of Kharkiv on March 7, 2022. (Photo by SERGEY BOBOK/AFP via Getty Images)

Cloudflare, a major web infrastructure firm that keeps websites online by protecting them from distributed denial-of-service  attacks, said Monday that it will continue to provide some services within Russia despite several calls to pull out, stating that “Russia needs more Internet access, not less.”

The statement is just the latest example of internet infrastructure firms having to explain how they are approaching business in Russia as that country’s government continues its brutal assault on Ukraine, and the government of Ukraine seeks to isolate Russia from the internet by publicly calling out major tech and web firms with business interests there.

In a statement, Cloudflare CEO Matthew Prince said the company has seen a “dramatic increase in requests from Russian networks to worldwide media, reflecting a desire by ordinary Russian citizens to see world news beyond that provided within Russia.”

The statement detailed the various steps the company has taken to help Ukraine, such as no-cost distributed denial-of-service (DDoS) protection for some organizations there, and said that it is continuing to monitor and update its business practices in accordance with sanctions as they come up. But cutting its services within Russia would “do little to harm the Russian government” and would instead “limit access to information outside the country,” and would be “celebrate[d]” by the Russian government, Prince argued.


DDoS attacks render websites, web services or networks inaccessible, typically by flooding them with bogus traffic. They’re relatively basic in terms of disruptive activity, and don’t require high-level skills or sophistication to pull off.

Another major DDoS mitigation firm, Akamai, said in a statement Monday that it also “maintain our network presence in Russia,” but would suspend all sales efforts in Russia and Belarus, terminate business with state-majority-owned Russian and Belarusian customers, and provide ongoing support for humanitarian needs in Ukraine through its foundation.

The statement noted, twice, that Akamai “stands with the people of Ukraine,” and said that its ongoing work in Russia “supports our global customers … as they endeavor to provide vital and accurate information to all corners of the globe, including to the citizens of Russia.”

The government of Ukraine and others have increasingly called on such firms to pull out of Russia and limit Russian entities’ access to the Internet, while the Russian government has limited access within its borders to Facebook and Twitter, and worked to choke off any independent information about its war. Hacktivists attacking Russia have targeted multiple Russian sites with apparent DDoS attacks — with the encouragement of the Ukrainian government, at times — while the Ukrainian government and organizations there have faced repeated DDoS disruptions in the weeks and days before the invasion, as well as more destructive cyberattacks.

“Cloudflare should not protect Russian web-resources while their tanks and missiles attack our kindergartens,” Mykhailo Fedorov, Ukraine’s minister of digital transformation, tweeted Feb. 28.


Cogent, a major American firm and one of the biggest internet backbone providers carriers in the world, announced Friday it was cutting off its Russian customers effective March 4.

The effect of the Cogent decision wouldn’t kick Russia off the internet, but “as Russia becomes increasingly disconnected from the financial system, Russia’s communication companies may have difficulty paying foreign transit providers for service,” wrote Doug Madory, the directory of internet analysis for netflow company Kentik, adding that the decision was “without precedent in the history of the internet.”

Also Friday, cybersecurity firm SOC Prime issued a statement and started an online petition calling on Cloudflare, Akamai, Amazon Web Services, Imperva and Sucuri to cease DDoS services within Russia.

“Continuing to provide access to these defensive measures, these companies have tacitly chosen a side and should address their rationale for supporting Russia in the face of tight sanctions and strong signals from the majority of industry peers that have chosen to do the right thing,” the company, based in the U.S. but with Ukrainian roots, said in its statement.

Amazon Web Services said Friday it has no data centers, infrastructure or offices in Russia, and said it has “a long-standing policy of not doing business with the Russian government.”


Its customers using AWS in Russia “are companies who are headquartered outside of the country and have some development teams there,” the company said in a statement, adding that if any customer is “using AWS services to threaten, incite, promote, or actively encourage violence, terrorism, or other serious harm to others, they will not be permitted to use our services.”

Imperva has “made the decision to suspend all new sales and operations in Russia and Belarus,” the company said in a statement posted Monday afternoon, and “has given notice to existing customers and deactivated our point of presence in Moscow.” The company added that it is “heartbroken by the escalation of events in Ukraine.”

Sucuri did not respond to a request for comment.

Also on Monday, Cloudflare, CrowdStrike and Ping Identity announced that they were offering free cyber protections to U.S. hospitals and water and power utilities in light of increased risk since the Russian invasion of Ukraine.

After seeing the statements from the companies Monday, Andrii Bezverkhyi, the co-founder and CEO of SOC Prime, told CyberScoop that the companies “continue to actively defend Russian government affiliates through their DDoS services even after issuing their ambiguous statements.”


Bezverkhyi, a member of the Ukrainian incident response team that unpacked the Russia NotPetya attack on Ukraine, added that “those vendors who continue to protect Russian assets from DDoS attacks should immediately cease this support or answer for their rationale.”

Updated 3/7/22: To include statement from Bezverkhyi.

Russia declared war against Ukraine on Feb. 24., 2022. Before, during and after the military campaign began, the CyberScoop staff has been tracking the cyber dimensions of the conflict.

This story was featured in CyberScoop Special Report: War in Ukraine

Latest Podcasts