Prior to the February invasion of Ukraine, commentators and observers had expressed concern that the Russian offensive would involve coordinated IT attacks on key infrastructure throughout the country, including its communication networks. The combined effects of these attacks was predicted to have been globally widespread and, crucially, publicly felt. But while there have been reports on the use of cyberattacks on critical infrastructure, mobile networks remain largely active — as shown by the considerable number of videos, calls, and livestreams that continue to originate from across Ukraine.
The ongoing work of Ukrainian mobile network operators (MNOs) and equipment personnel keeping cell towers and supporting critical infrastructure connected and powered continues to be critical. Mobile networks have stayed functional for far longer than expected, sometimes in areas suffering destructive and ongoing strikes targeting underground fiber and cell towers, as well as power outages.
Since the annexation of Crimea in 2014, the Ukrainian MNO community has taken proactive steps to both defend networks in the country and ensure their resilience. This has been vital in a country that is geographically vast, with an extensive rural population, and yet Ukraine has around 130% mobile penetration.
When the invasion began, the Ukrainian Telecom regulator (NKRZI) decided to allocate additional 3G and 4G frequency bands for the three main operators, nominally to provide more capacity where it was expected people would flee (Western border areas), but the frequency increase was implemented countrywide.
In addition, Ukrainian MNOs and Ukrtelecom made the coordinated decision not to suspend any account if the subscriber ran out of credit, meaning everyone could stay in contact even if they were in a position or situation where they could not obtain any additional credit.
Finally, all three main Ukrainian MNOs suspended all inbound roamers from Russia and Belarus. This was an unprecedented move — no country has ever blocked all users from neighboring countries with which it had existing roaming agreements. Immediately, mobile subscribers from Russian and Belarusian networks could not roam onto Ukrainian networks.
Mobile telecom security affected the battlefield as well in mid-March. Ukraine’s security services announced the capture of a SIM box that was being used as a voice-call relay from Russian forces' leadership in Ukraine, as well as to send text messages locally. This is an example of the use of Ukraine's mobile networks by invading forces, and the ongoing battle to detect and secure them.
Specifically, the SIM box made anonymous phone calls from Russia to the invaders’ mobile phones in Ukraine. The box also sent SMS messages to Ukrainian security officers and civil servants with proposals to surrender and defect, and was also used to pass commands and instructions to Russian forces.
Up to 1,000 calls a day were routed through this system, many from the Russian army's senior leadership. Its setup of a commercial, off-the-shelf Hypertone SIMBank and several multiple GSM gateways and control software was used to relay calls made from phones within Ukraine to IP, in order to send back to Russian addresses. This system looks to have been designed to avoid call interception by trying to blend in, i.e., by dialing in-country only, and then using IP to bypass the blocks on outbound calling to Russia.
Mobile Security Decisions
Specific mobile network security decisions and actions have also been made by the Ukrainian MNO community, regulator, and security services. While many have not been made public, they include:
- A recommendation to block 642 ASs (autonomous systems) of the "RuNet," the Russian Internet, which together cover 48 million IP addresses, preventing cyberattacks of information disseminated from these sources over both fixed line and mobile networks.
- Blocking the receipt of all inbound SMSes from Russia and Belarus, preventing spam or fake information from mobile networks in these countries.a
- Ongoing psyops that use texts to target Russian soldiers in possession of Ukrainian SIMs. Those that have been identified are messaged, encouraging them to defect and/or surrender.
- Ongoing search for other malicious telecom equipment. One was the detection and seizure of a "network of bot farms located in the largest cities of Ukraine, including: Kyiv, Dnipro, Odesa, Vinnytsia." These SIM boxes sent SMS messages aimed at fostering enmity within the Hungarian minority in Ukraine. Another detection by the SBU was five bot farms, where SIM boxes compromising over 100 SIM gateways used social networks to spread misinformation.
There are multiple moves that MNOs, and the state can take when preparing themselves for any conflict that may involve the targeting of telecom networks. It is vital that plans and techniques be coordinated and in place prior to any situation in which they might be enacted. In Ukraine the operators and regulators have been instrumental in coordinating and preparing their mobile networks to the position where they are today — a much stronger position than many had expected before the conflict.