IOTW: Russia-linked cyber attack targets Ukraine’s biggest phone operator

Ukraine’s biggest mobile network operator has suffered a cyber attack connected to its ongoing conflict with Russia. Kyivstar, which has more than half of Ukraine’s population as mobile subscribers, said earlier this week that it had been targeted by a “powerful hacker attack” that knocked internet access and mobile communications and damaged IT infrastructure. It also disrupted air raid alert systems in parts of Kyiv.

The company’s CEO Oleksandr Komarov said the attack was a result of the war with Russia, reported Reuters. “War is also happening in cyber space. Unfortunately, we have been hit as a result of this war,” he told national television. “(The attack) significantly damaged (our) infrastructure, limited access, we could not counter it at the virtual level, so we shut down Kyivstar physically to limit the enemy’s access.”

Russian hacktivist group Killnet claimed responsibility for the attack via a statement on the Telegram messaging app, but did not provide evidence to support its claims.

Personal data of subscribers not compromised

In a Facebook post, Kyivstar said it was investigating the issue with law enforcement agencies and was “working to eliminate the consequences and restore communications” as soon as possible. The incident has been reported to Ukrainian state services, it added.

“The most important thing is that, as of now, the personal data of subscribers has not been compromised. Our team will definitely compensate those subscribers who had no connection or could not use our services,” the firm said. “Yes, our enemies are cunning. But we are ready to face any challenges, overcome them and continue working for Ukrainians.”

In a post on X (formerly Twitter), internet monitoring company NetBlocks wrote: “The cyber attack on Ukraine’s Kyivstar telecoms operator has impacted all regions of the country with high impact to the capital, metrics show, with knock-on impacts reported to air raid alert network and banking sector as work continues to restore connectivity.”

Cyber attacks are often geopolitical

“Cyber attacks are geopolitical, there is no doubt about it. When thinking about the theatre of war, communications are always a critical target,” commented Bobby Cornwell, threat detection expert at cyber security company SonicWall. “If an attacker can confuse different parties, it will eventually stir up chaos. Cutting off the cellular phones which are used in the battlefield due to lack of other types of communications, can cause troops to be misinformed/misguided, or vulnerable.”

There’s an overlooked aspect that often escapes many people’s thoughts – access to the telecom infrastructure, he said. “While hacking can dismantle communication networks, what if the hacker’s aim isn’t to disrupt but to camouflage their true goal? Imagine a scenario where a threat actor infiltrates a telecom company’s computer systems with a trojan horse, gaining access to phone telemetry.” Threat actors could exploit compromised phones to pinpoint their location and launch targeted attacks, he added. “This is not far-fetched, it’s an unfortunate reality of an ever-evolving cyber threat landscape.”

Russia’s winter cyber offensive

Russia is upping its cyber offensive, shifting its tactics to target western critical national infrastructure (CNI) and increasing its use of hacktivism, according to new research from cyber security firm Cyjax. The Cyber Winter of Discontent report analyzes the conflict in Ukraine and predicts how Russia may conduct cyber military activity over the coming winter.

It found that Russia is facing a crisis of resources and manpower and, with Ukraine receiving a steady supply of defensive weapons and technology from the West, Russia may struggle to effectively deploy malware against its CNI at scale. As such, analysts believe that Russia may turn its attention to more cost-effective tactics outside of the region in an effort to disrupt supply chains and deter the West from supplying its ally.

Cyjax has observed several hacktivist groups increasing in activity including UserSec, SiergedSec, NoName057, Anonymous Sudan, AnonymousRussia and Killnet. The firm has also detected many pro-Kremlin hacktivist collectives switching their targeting away from Ukraine to attacks on organizations based in Israel and those countries supporting it.

“The West’s support to Ukraine’s cyber defenses has stagnated Russian attacks, putting Russia in a difficult position as it struggles to find resources for a cyber and kinetic attack,” said Roman Faithfull, cyber intelligence Lead at Cyjax. “Thus far, Russia’s cyber warfare against Ukraine CNI hasn’t paid off which is why it makes sense that it would turn its attention to western CNI to induce war fatigue and disrupt supply chains.”

This week, the UK’s Joint Committee on the National Security Strategy warned of the catastrophic ransomware risk faced by UK CNI, with the lack of planning for such an incident meaning that the entire country is essentially being held “hostage to fortune.” Earlier this month, an international cyber security advisory from multiple governments accused the Russian FSB of carrying out a spear-phishing campaign against the UK, US and allies.