Top Ukrainian Mobile Operator Kyivstar Hit by Cyberattack

Critical Infrastructure Security
Cyberwarfare / Nation-State Attacks
Fraud Management & Cybercrime

Ukrainian President Volodymyr Zelenskyy Is in Washington

Top Ukrainian Mobile Operator Kyivstar Hit by Cyberattack
The Kyivstar logo displayed in Kherson, Ukraine in February 2022 (Image: Shutterstock)

Ukrainian telecom operator Kyivstar was the target of a cyberattack that knocked internet access and mobile communications offline on the same day Ukrainian President Volodymyr Zelenskyy is in Washington to boost the case for additional military aid.

See Also: Fog of War | How the Ukraine Conflict Transformed the Cyber Threat Landscape

The operator said in a Tuesday post on Facebook that personal data of subscribers appears to have not been compromised. The Netherlands parent company said Kyivstar technical teams are working with Ukrainian authorities “to determine the circumstances and consequences of the interference in the Kyivstar network.” Telemetry monitored by internet observer NetBlocks showed that Kyivstar’s connectivity had “collapsed” early on Tuesday morning.

Market analysis firm Telegeography calculated that Kyivstar accounts for roughly half of Ukraine’s mobile subscriber base have been affected. Reuters reported that Kyivstar has 24.3 million mobile subscribers and more than 1.1 million home internet subscribers.

In a video statement, company CEO Oleksandr Komarov does not directly attribute the attack to Russian state hackers but suggests that it is likely. “The war with Russia has many dimensions, and one of them is in cyberspace,” he said, according to translation by the BBC. The news outlet also said the outage had caused air raid sirens in the northeastern city of Sumy to malfunction, leading military authorities to say they would rely on police and emergency personnel for alerts in case of a missile attack. Retail shops throughout the country are unable to process credit payments and some ATM access to major banks has been disrupted, the Kyiv Post reported.

Self-proclaimed Russian patriotic hacktivist group KillNet appeared to have claimed responsibility for the attack on its Telegram channel, but the assertion was met with skepticism.

“Previous KillNet operations have not demonstrated capabilities that would allow them to conduct this level of operation. In addition, this claim of responsibility does not match that pattern and was released hours after the operation and does not release any ‘proof,’ raising the possibility that it is simply an opportunistic claim, rather than a legitimate one,” said Dan Black, a Mandiant principal analyst. KillNet’s activity to date has mostly been distributed denial-of-service attacks, likely in service of Moscow influence operations (see: KillNet DDoS Attacks Further Moscow’s Psychological Agenda).

Critical infrastructure is a focus area of Russian state hackers in the Kremlin’s ongoing war of invasion against its European neighbor. A Ukrainian government official recently said nearly three-quarters of cyber incidents monitored by the national computer emergency response team this year involved civilian infrastructure.

Threat intelligence suggests that Russia is investing heavily in cyberattacks that could damage the systems underlying critical infrastructure (see: Russian Sandworm Hackers Caused Power Outage in October 2022).

Russian missile and drone attacks against civilian infrastructure have increased in pace with the onset of winter, and U.S. officials warn that Russia could mount offensive actions along the front line. Zelenskyy met with congressional leaders Tuesday morning, after meeting Monday with U.S. military officials and the International Monetary Fund. U.S. President Joe Biden has requested $60 billion in additional aid for Ukraine, but congressional Republicans are conditioning aid on stricter controls on asylum seekers and the American Southwestern border. Zelenskyy is set to meet with Biden on Tuesday afternoon.