Hackers damaged some infrastructure of Ukraine’s Kyivstar telecom company

KYIV — Ukraine's largest telecom provider, Kyivstar, was gradually resuming operations Wednesday after a major cyberattack damaged some of its systems a day earlier.

The company's cellular network and mobile internet were still out of service. Its mobile app and website were also down. However, Kyivstar managed to restore some of its landline services, and the company said it hoped to get back to normal operations by the end of the day.

CEO Oleksandr Komarov said that at around 5 a.m. on Tuesday, hackers launched the attack on Kyivstar’s core network and managed to destroy some of its functions. The core network of a telecom operator is the central part of its infrastructure responsible for managing and directing communication services.

The company has not detailed the exact nature of the damage, and a technical analysis of the malware used by the attackers is not available.

In an interview with Forbes Ukraine, Komarov said that he suspects the attack was an internal intrusion, but he did not specify what he meant. “There certainly had to be some movement within the network to damage it so badly,” he added.

He called the Kyivstar hack “the largest cyberattack on telecom infrastructure in the world.”

The company and the country's security services deliberately decided to completely turn off the network when they detected the attack.

"The decision was made in real-time ... because every minute meant more destruction,” Komarov said. “It was necessary to do this to reduce the impact, although it was and still is quite large."

Despite some allegations that user data was compromised during the attack, Kyivstar said it has no confirmation that the hackers received any data. The likely goal of the attack, according to Komarov, was to destroy Ukraine's critical infrastructure. The company and Ukraine’s government are still investigating.

So far, two Russia-aligned hacker groups claimed responsibility for the hack — Killnet and Solntsepek. Killnet didn’t provide any evidence of the intrusion. The group is also known for claiming responsibility for attacks conducted by other hackers.

Solntsepek posted several screenshots of Kyivstar systems that it allegedly hacked on its Telegram channel. The group said it “destroyed 10 thousand computers, more than 4 thousand servers, all cloud storage, and backup systems.”

Like many hacker claims, those are hard to verify. Ukraine’s security service (SBU) said on Wednesday that it was aware of the statement of one of the Russian groups and that this group is linked to Russia’s military intelligence service, the GRU. A source within SBU told Recorded Future News that the SBU was referring to Solntsepek.

“We attacked Kyivstar because the company provides communications for the Armed Forces of Ukraine, as well as the country’s state bodies and law enforcement agencies,” the Solntsepek hackers said.

Ukraine, however, claimed that the Kyivstar system failure did not affect the Ukrainian military because it uses different communication systems.

Kyivstar refused to comment on what country might be behind the attack.

The company said that it’s working with the country’s security services, as well as international companies like Microsoft, Cisco, and Ericsson to restore its systems and investigate the attack.