Ukraine's largest telecom operator shut down after cyberattack

This article was updated at 10:40 a.m. EST

KYIV — Ukraine’s largest telecom operator, Kyivstar, got hit by a major cyberattack on Tuesday, leaving millions of people without cell service and internet.

Kyivstar customers began complaining about network and internet outages in the early morning. The company later reported via Facebook that it got hit by a "powerful" cyberattack that led to a "large-scale technical failure." Customers' data hasn't been compromised, the statement said.

Kyivstar's services in Ukraine were still down as of Tuesday afternoon. The company’s CEO, Oleksandr Komarov, said in a video statement that “it is still not completely clear” when the company will restore normal operations.

Ukraine's state cybersecurity agency (SSSCIP) told Recorded Future News that the "relevant services," including Ukraine's computer emergency response team (CERT-UA), are investigating the incident. Kyivstar didn't reply to a request for comment. Its parent company, the Netherlands-based VEON, confirmed in a news release that the incident was a “hacker attack.”

Sources within Kyivstar told several Ukrainian media outlets that hackers breached “a part of the operator's internal systems” and that the company is working to “launch duplicate systems.” The decision to completely shut down the Kyivstar system was made by security forces and the operator in order to "localize" the impact of the attack, one of the sources said.

Ukrainians look for new SIMs

Many Ukrainians chose to switch mobile carriers on Tuesday, rather than wait for Kyivstar services to return.

Ukraine has three major telecom operators: Kyivstar, with 24 million subscribers; Vodafone, with 19 million; and Lifecell with 8.5 million.

Switching to another operator in Ukraine is easy — no contract is needed, and it's relatively cheap (a prepaid SIM card costs about $5). In Ukraine's capital, Kyiv, many people were lining up on Tuesday to buy SIM cards from Vodafone and Lifecell to stay connected.

One Kyiv resident, who was affected by the Kyivstar outage, told Recorded Future News that it was hard to figure out how to switch to another operator at first, but she was happy that it worked out because she needs the cellular network to make phone calls for her work.

Subscribers of Vodafone and Lifecell were complaining that the services were working slowly. Vodafone and Lifecell have Azerbaijani and Turkish owners, respectively.

A Vodafone spokesperson told Recorded Future News that the company saw an increase in new subscribers on Tuesday, while the load on its network increased by 30% and was growing.

“The company's engineers work to maintain network availability for all subscribers in such conditions,” Vodafone said. Vodafone services were not targeted by a cyberattack, but the company said it "keeps an eye" on its systems.

Lifecell said that some of its services, including the website and mobile app, were temporarily down due to the increased load.

Last year, amid blackouts caused by Russian missile strikes, Ukrainian mobile operators introduced a service called "national roaming," allowing subscribers to switch operators when the base transceiver stations (BTS) of others are damaged or disconnected.

However, this service was unavailable on Tuesday for Kyivstar subscribers, probably because the problem was not with BTS but with the core of the operator's network, a Lifecell spokesperson told Forbes Ukraine. Several other sources also alleged that the attack probably affected Kyivstar's core network.

The core network is the central part of the operator’s telecommunications infrastructure. It connects different regions or countries and routes traffic to external networks, such as the internet and cloud services.

The attack on Kyivstar also affected the operations of Ukraine’s largest state-owned bank, PrivatBank. The company said that the work of some of its banks, ATMs, and point-of-sale (POS) terminals used by businesses to process card payments was disrupted because they rely on Kyivstar SIM cards. However, the disruption is not “massive,” the company said.

Another Ukrainian bank, Monobank, suffered a distributed denial-of-service (DDoS) attack on its systems on Tuesday but quickly resolved the incident.

Ruslan Kravchencko, the head of the regional state administration in Kyiv, also warned that the Kyivstar hack had affected the air raid alert systems that notify residents of Russian missile strikes in the region. The outage impacts 75 small towns and settlements in the Kyiv region, but Kravchencko didn’t mention the city itself.

While the alerts system is down, the police and emergency service workers will warn about missile strikes through loudspeakers, he said.

Potential suspect

The hacker group behind those attacks is unknown, but fingers point to Russia. Ukraine’s security service (SBU) told Ukrainian media that it suspects Russian intelligence services.

The SBU opened criminal proceedings over the cyberattack on Kyivstar. Some of the charges include unauthorized interference in the work of information systems, high treason, and sabotage.

Telecom operators and internet providers are an attractive target for hackers of both countries.

Vodafone told Recorded Future News that since the start of the war last February, it recorded over 240 cyberattacks on its systems.

In an October interview with The Record’s Click Here podcast, Illia Vitiuk, head of the cyber department at the SBU, said there had been “a serious attempt to penetrate one of Ukraine’s telecom operators,” but it was stopped.

“This penetration could lead to eavesdropping, listening to phone calls of our people, reading messages,” Vitiuk said. “And if one of [the companies] is out of operation, the other two won't be able to operate because they will be overloaded.”

Last March, Russian hackers disrupted web traffic from major Ukrainian internet service provider Ukrtelecom, causing one of the most widespread internet outages since Russian troops invaded Ukraine.

Russian communication services are also under attack. Ukrainian hacktivists are consistently targeting small internet providers in the occupied parts of Ukraine. In June, a group of previously unknown hackers claimed responsibility for a cyberattack on the Russian satellite communications provider Dozor-Teleport, which is used by energy companies and the country's defense and security services.