My servers block IP addresses that amongst other things attempt port scans.
I have been monitoring the block lists for years.
There used to be a lot of bots from South American countries, there was another time when most of the bots came from Russia or other Eastern bloc countries.
Then forever the bulk seemed to come from China.
Then a strange thing happened. During the Ukranian troubles all of a sudden approximately 80% of the bots were coming out of Ukraine.
I didn't have an answer for why this was occurring. I'd just notice them, scratch my head, shrug my shoulders, light up a cigarette and get back to watching epic fail videos.
But then something interesting happened.
Trump had a 'controversial' phone call with Taiwanese President.
And wouldn't you know, then all, or approximately 90% of the bots started coming out of Taiwanese IP addresses:
So I think I figured out what these trends imply:
When various players and 'states' want 'information' about an area they turn their armies of bots (pwned servers) on to a specific geolocation. Not so long ago Ukraine, now Taiwan.
Vlad: "What's all this Taiwan/Trump bullshit? Find out!"
So the agencies and states turn their bots on the entire Taiwanese network seeking to breech as many systems as possible to hopefully get some inside information.
I'm calling it that the bot scripts do more than simply pwn a vulnerable server but also use the breeched servers to continue scanning international IP addresses and continue to make their pwned server armies bigger.
Unless you can think of a better explanation for these trends?