Kyivstar Mobile Attack Plunges Millions in Ukraine Into Comms Blackout

Kyivstar, Ukraine's biggest mobile telecom operator, has suffered a cyberattack that took out cell service for more than half of Ukraine's population and cut Internet for millions — as well as knocking offline the emergency air-raid system in the capital region.

Company CEO Oleksandr Komarov, speaking on a Ukrainian news broadcast as reported by Reuters, confirmed the attack on Tuesday, adding that the telco's IT infrastructure is "partially destroyed," and that he has no timeline on restoration.

A source "close to Ukraine's cyber defense" told Reuters that "a lot of Russian controlled traffic [was] directed at these networks," suggesting a distributed denial-of-service (DDoS) attack; the source also confirmed that "there's no ransom. It's all destruction."

In any event, the strike is the most significant to hit Ukrainian communications infrastructure since the Viasat outage that followed Russia's February 2022 invasion. Kyivstar has 24.3 million mobile subscribers and more than 1.1 million home Internet subscribers.

Vodafone, Kyivstar's largest competitor, remains operational.

Another Strike in the Russian State-Sponsored Cyberwar?

During the broadcast, Komarov stressed that the destructive attack is almost certainly meant to support Russia's broader kinetic strikes in the war, though he didn't name a likely culprit.

"War is also happening in cyberspace," he noted. "Unfortunately, we have been hit as a result of this war."

On its Telegram channel, the Russian hacktivist group known as Killnet quickly took responsibility for the attack, but it's a claim that Dan Black, principal analyst at Mandiant Intelligence for Google Cloud, regards with skepticism.

"Previous KillNet operations have not demonstrated capabilities that would allow them to conduct this level of operation," he says via email. "In addition, this claim of responsibility ... was released hours after the operation and does not include any proof, raising the possibility that it is simply an opportunistic claim, rather than a legitimate one."

Nonetheless, Russian-backed cyberattack activity has been a fixture in the Ukraine-Russia conflict since its inception, with activity encompassing everything from espionage to devastating wiper attacks and critical infrastructure targeting. So if not Killnet, one of the other usual advanced persistent threat (APT) suspects could be the perpetrator, according to Nick Tausek, lead security automation architect at Swimlane.

"While the source of this attack remains unconfirmed and under active investigation by Ukrainian authorities, it is likely the result of Russian-allied actors," he says in an email. "Attacks on critical infrastructure such as telecommunications, electricity, and public utilities are a core component of the Russian cyber warfare landscape."