Ukraine's Kyivstar Suffers Devastating Cyberattack

What Happened to Kyivstar?

Tuesday, December 12, didn’t start as expected for Ukraine’s Kyivstar—the telco and internet service provider with the most mobile subscribers in the country.

On that day, early in the morning, at around 7.00 AM (GMT+2), Kyivstar posted on Facebook that it experienced a “technical failure.” This incident made the company’s communication and internet services unavailable to customers. In addition, it would soon turn out that it also affected Ukraine’s air raid system, preventing part of the population from receiving timely warnings about air attacks.

A few hours later, just before noon, Kyivstar posted an update, telling its customers that the technical failure resulted from a “powerful” cyberattack. Sometime later, the same day, the internet monitoring services NetBlocks and Cloudflare Radar confirmed that Kyivstar suffered an internet outage.

Temporary service disruption is not an unheard-of phenomenon. An internet blackout that lasts a few minutes or a localized network outage for a few hours can be problematic, but they’re not that severe and uncommon. A connectivity collapse of a top internet provider lingering for days, on the other hand, is a rare occurrence.

As of the time of writing this article, December 19, Kyivstar has managed to bring most of its services back to life but has yet to recover them entirely. That confirms the company’s CEO’s predictions that it might take a whole week to return to normal operations.

For context’s sake, Kyivstar has been around since the nineties and has infrastructure all over Ukraine. Its official website, temporarily unavailable, states that the company has 24.3 million mobile subscribers and over 1.1 million home internet users.

The frustration of Kyivstar’s clients left without mobile, landline, and internet access for days is already tangible, as are the possible business consequences for the company. Some reports say customers have started subscribing to Kyivstar’s biggest competitor, Vodafone.

Kyivstar repeatedly said it would compensate for the customers’ inconvenience once its normal day-to-day operations are back, most probably to prevent a high churn rate and terrible financial losses. VEON, the Dutch-based global digital operator whose part Kyivstar is, stated that it still couldn’t determine the financial consequences of the incident.

Who Stands Behind the Attack?

Two groups took responsibility for the Kyivstar attack: Killnet and Solntsepyok (alternatively spelled Solntsepek).

Killnet is a hacktivist group known for carrying out DDoS attacks. But, based on experts’ claims, its attacks have mostly had insubstantial and short-term effects on targets.

For this reason, John Hultquist from Mandiant—a cybersecurity firm and one of Google’s subsidiaries—expressed doubts about Killnet being the real culprit. He doesn’t believe it has the capacity for such an attack. Besides, this hacktivist group didn’t provide any proof corroborating its responsibility claims, making them even more implausible.

Solntsepyok is a hacker group considered affiliated with Sandworm or a front for it. And Sandworm is one of the most notorious hacker groups ever, believed to be under the aegis of GRU (Glavnoye Razvedyvatelnoye Upravlenie in Russian, which translates as Chief Intelligence Office)—Russia’s military intelligence service. More precisely, Sandworm is identified as the Moscow-based Unit 74455 of Russia’s GRU.

Unlike Killnet, commentators and security pundits are much more willing to accept that Solntsepyok, and by extension Sandworm, is behind the Kyivstar cyberattack.

Andy Greenberg, the senior writer for WIRED and author of the book “Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers,” has studied Sandworm for years. He associates this hacker group with multiple grave security incidents, such as the power outages in Ukraine in 2015 and 2016, the NotPetya attacks in 2017, and the 2018 Olympics hack. He believes all of these are state-sponsored cyberattacks.

This last piece of information is crucial to accept as (highly) believable Solntsepyok’s claim that it carried out the Kyivstar attack. In the eyes of security commentators, such as Swimlane’s Nick Tausek, this attack is likely the doing of threat actors associated with Russia. Many, including CERT-UA (Computer Emergency Response Team of Ukraine) and Kyivstar itself, believe this is but one, though devastating, in a series of Russian cyberattacks in a state-sponsored cyberwar against Ukraine.

Also, the Kyivstar attack didn’t seem to have a goal other than full-scale service disablement and sheer infrastructure destruction, which aligns with the argument for a politically motivated cyberattack and Solntsepyok being the probable wrongdoer.

In addition, on Wednesday, December 13, Solntsepyok posted screenshots of, seemingly, Kyivstar’s internal systems on Telegram, providing at least some evidence for the claim that it indeed inflicted damage on Ukraine’s top telecommunications company.

How Was the Attack Carried Out?

Currently, details about the technical aspects of the attack are lacking. The only available information is that the threat actors gained access to internal systems via an employee’s compromised account, through which they deployed detrimental malware.

During the attack, the hackers obliterated a “special directory,” as Kyivstar’s CEO called it. However, Kyivstar denies Solntsepyok’s claims that it destroyed as many as 10,000 computers and 4,000 servers, as well as cloud storage and backup systems. In addition, the company iterated multiple times that no customer information and personal data had been compromised during the attack.

Since Solntsepyok expressed gratitude to “concerned colleagues” at Kyivstar in its Telegram post, implying a Kyivstar insider left the gates open for the attack, the Security Service of Ukraine opened a treason investigation.

We will update this post if more technical details about the Kyivstar attack are revealed.

Carlo De Micheli

Director of Product Marketing

Carlo is a versatile professional with extensive international experience. His enthusiasm for innovation extends across cybersecurity, automotive, and aerospace, where he actively engages in pioneering projects. Holding a technical background in aerospace engineering and supplementing it with independent studies in programming and security, Carlo has organized and presented at international conferences and established tech startups related to the sharing economy and fashion before embracing marketing and sales.

Zoran Gorgiev

Technical Content Specialist

Zoran is a technical content specialist with SEO mastery and practical cybersecurity and web technologies knowledge. He has rich international experience in content and product marketing, helping both small companies and large corporations implement effective content strategies and attain their marketing objectives. He applies his philosophical background to his writing to create intellectually stimulating content. Zoran is an avid learner who believes in continuous learning and never-ending skill polishing.