Kyivstar Mobile Attack Plunges Millions in Ukraine Into Comms Blackout

The destructive attack, likely carried out by Russian actors, is the biggest hit on the country's basic infrastructure since the beginning of the war.

Kyivstar company shop on Velika Vasilkovskaya street
Source: Igor Golovnov via Alamy Stock Photo

Kyivstar, Ukraine's biggest mobile telecom operator, has suffered a cyberattack that took out cell service for more than half of Ukraine's population and cut Internet for millions — as well as knocking offline the emergency air-raid system in the capital region.

Company CEO Oleksandr Komarov, speaking on a Ukrainian news broadcast as reported by Reuters, confirmed the attack on Tuesday, adding that the telco's IT infrastructure is "partially destroyed," and that he has no timeline on restoration.

A source "close to Ukraine's cyber defense" told Reuters that "a lot of Russian controlled traffic [was] directed at these networks," suggesting a distributed denial-of-service (DDoS) attack; the source also confirmed that "there's no ransom. It's all destruction."

In any event, the strike is the most significant to hit Ukrainian communications infrastructure since the Viasat outage that followed Russia's February 2022 invasion. Kyivstar has 24.3 million mobile subscribers and more than 1.1 million home Internet subscribers.

Vodafone, Kyivstar's largest competitor, remains operational.

Another Strike in the Russian State-Sponsored Cyberwar?

During the broadcast, Komarov stressed that the destructive attack is almost certainly meant to support Russia's broader kinetic strikes in the war, though he didn't name a likely culprit.

"War is also happening in cyberspace," he noted. "Unfortunately, we have been hit as a result of this war."

On its Telegram channel, the Russian hacktivist group known as Killnet quickly took responsibility for the attack, but it's a claim that Dan Black, principal analyst at Mandiant Intelligence for Google Cloud, regards with skepticism.

"Previous KillNet operations have not demonstrated capabilities that would allow them to conduct this level of operation," he says via email. "In addition, this claim of responsibility ... was released hours after the operation and does not include any proof, raising the possibility that it is simply an opportunistic claim, rather than a legitimate one."

Nonetheless, Russian-backed cyberattack activity has been a fixture in the Ukraine-Russia conflict since its inception, with activity encompassing everything from espionage to devastating wiper attacks and critical infrastructure targeting. So if not Killnet, one of the other usual advanced persistent threat (APT) suspects could be the perpetrator, according to Nick Tausek, lead security automation architect at Swimlane.

"While the source of this attack remains unconfirmed and under active investigation by Ukrainian authorities, it is likely the result of Russian-allied actors," he says in an email. "Attacks on critical infrastructure such as telecommunications, electricity, and public utilities are a core component of the Russian cyber warfare landscape."

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights