Shodan Showdown: Using Shodan & Censys for Threat Intel in the Russia-Ukraine Conflict
Introduction
The ongoing Russia-Ukraine conflict has demonstrated how cyberwarfare plays an increasingly pivotal role in modern geopolitical struggles. Cybersecurity professionals and intelligence analysts must stay ahead by leveraging open-source intelligence (OSINT) tools such as Shodan and Censys. These tools provide insights into exposed internet-connected infrastructure, revealing security vulnerabilities that could be exploited in cyber operations.
In this post, we’ll examine how Shodan and Censys can aid in conflict monitoring, compare their effectiveness, and explore the DEFCON 205 “Shodan Showdown” contest that challenges cybersecurity practitioners to discover the most publicly accessible systems on the internet.
The Role of Shodan and Censys in Conflict Monitoring
Shodan and Censys are powerful search engines that index internet-facing devices and services, making them valuable for monitoring critical infrastructure in war zones. Here’s how they help in cyber threat intelligence (CTI):
Identifying Exposed Critical Infrastructure
Both platforms allow researchers to discover vulnerable systems in Ukraine and Russia, such as:
Industrial Control Systems (ICS) – Power grids, water treatment plants, and oil refineries exposed on the internet.
Government Networks – Misconfigured or insecure .gov and .mil domains.
Communication Systems – Satellite links, routers, and emergency broadcasting stations.
For example, querying Shodan for port:502 country:RU reveals exposed Modbus systems, which are commonly used in SCADA (Supervisory Control and Data Acquisition) networks that control industrial processes.
Monitoring Shifts in the Digital Environment
Since the start of the conflict, researchers have noticed large portions of the Russian internet disappearing from Shodan and Censys. This is likely due to:
Increased government censorship (e.g., Russia isolating its internet infrastructure).
Massive firewall rule changes to prevent OSINT researchers from tracking their networks.
Cyber operations by hacktivist groups disrupting online services.
By continuously tracking these changes, analysts can infer when major cyber defense strategies are being deployed or anticipate upcoming cyberattacks.
Comparative Analysis: Shodan vs. Censys
While both tools index internet-facing devices, they have key differences that make them suitable for different cybersecurity applications.
| Feature | Shodan | Censys |
|---|---|---|
| Data Freshness | Scans devices regularly, but may have outdated results. | More frequent scanning, better for real-time monitoring. |
| Search Power | Easier for beginners with simple filters. | More advanced filtering with structured queries. |
| Coverage | Better at finding IoT and consumer devices. | Stronger at identifying enterprise-level systems. |
Real-World Example
What would we like to query? How about SSH Servers and Microsoft Remote Desktop Protocol Servers in the Russian Federation?
A Country Wide on Shodan could use:
country:RU port:22,3389
The Same Query on Censys would look like this:
location.country: "Russia" and services.port: {3389, 22}
Using Shodan Map Feature
Both Censys and Shodan have diagnostic queries making interesting analysis of devices that have been hooked up to the open internet possible. But Using Shodan’s Map Feature can provide additional context. One can look for Border Towns such as Belgorod and Kursk:
Defcon 205’s “Shodan Showdown”
DEFCON 205 is Birmingham’s official DEFCON hacking group, dedicated to ethical hacking and security research. The group recently hosted the “Shodan Showdown”, a competition where participants were challenged to:
- Find the most interesting publicly accessible system using Shodan.
- Document its security risks and potential attack vectors.
- Report their findings in a responsible way, if possible
Key Takeaways from the Contest:
What did DC205 Find?
Findings were primarily in three groups:
Some publicly exposed medical devices running outdated software. Misconfigured routers with default credentials. Unsecured security cameras broadcasting video feeds in real-time.
Why does this matter? Events like the Shodan Showdown bring together security professionals and researchers to hone their OSINT skills, raise awareness of critical cybersecurity risks, and promote responsible disclosure practices.