Ukraine’s largest telecommunications provider suffered a major cyber attack Tuesday, the company said, knocking out mobile phone service to millions of people.
Although the apparent attack on Kyivstar did not compromise customer data, mobile communications and access to the internet was down throughout the day, according to a statement the company issued on its Facebook page.
The company has 24.3 million mobile subscribers and more than 1.1 million home internet subscribers, leading to a ripple effect that caused outages and service surges for state institutions and the company’s competitors, “who were not prepared for a significant increase in traffic due to the desire of users to switch to working networks,” Economic Pravda reported Tuesday.
Also Tuesday, the co-founder of Monobank, a Ukrainian mobile bank and payment processor, said the company’s infrastructure suffered a “massive” distributed denial-of-service attack, but that “everything is under control.”
On Wednesday, the hacktivist persona known as Solntsepek claimed responsibility for the incident and offered screenshots to support their claim, according to John Hultquist, Mandiant’s chief analyst. Hultquist added that the group is “a hacktivist persona that regularly claims credit for the activity of the GRU actor best known as Sandworm.”
“If you take an accounting of all the major disruptive cyberattacks we know about, you’d find that Sandworm has been responsible for the vast majority,” Hultquist said. “They are the preeminent, proven threat to critical infrastructure.”
The attacks occurred as Ukrainian President Volodymyr Zelensky met with President Joe Biden and lawmakers in Washington, D.C., on Tuesday, pushing for more funding to sustain the country’s defense. Republicans are holding up further aid for Ukraine in an effort to force Democrats to agree to immigration reforms on the U.S. border with Mexico.
Ukraine’s military intelligence agency on Tuesday announced that it had hacked one of the “key central servers” of Russia’s federal tax service, along with 2,300 regional servers, as well as the Russian IT company Office.ed-it.ru, “completely [eliminating]” configuration files for Russia’s tax system and “a complete destruction of the infrastructure of one of the main state bodies of terrorist russia (sic) and numerous related tax data for a long period.”
Anton Gorelkin, a Russian lawmaker, said on Telegram Tuesday that his “sources” in the Russian government said the “whole story is fiction,” adding that the Ukrainian government spread the story as a means to deflect from the attack on Kyivstar.
The Security Service of Ukraine (SBU) said it had opened criminal proceedings to investigate the the attack on Kyivstar, and that “one of the versions currently being investigated by SBU investigators is that the Russian special services may be behind this hacker attack.”
Ukraine’s Prosecutor General on Tuesday called the incident “another stage of cyber aggression” that “led to a failure in the operation of the key services of the mobile operator and, accordingly, to the blocking of services to users,” according to a Google translation.
A representative for the State Special Communications Service of Ukraine, the government body responsible for cyber defense, told reporters midday Tuesday that it was “too early to draw conclusions” as to what happened. The Computer Emergency Response Team (CERT-UA) was also investigating the matter, the representative said.
Kyivstar service remained down late Tuesday, capping a day of confusion for some.
“The situation was unclear, and no one understood what happened because there was no access to the Internet,” Ulia Feniak, a student at the Ivan Franko National University in Lviv, said in a message to CyberScoop. “I’ll be honest, there was a little internal panic in me. And I was sad because I didn’t have a SIM card of another operator.”
Feniak said she was worried about the personal data held by the company, and also said the situation showed “how many devices in Ukraine depend on Kyivstar.” But, she added, she was “proud of the calmness of Kyivstar representatives and the memes on social networks about this situation.”
Yurii Kadirov, another student at the university, told CyberScoop that he woke up Tuesday morning to a call from relatives in Zaporizhzhia — a city near the frontlines in the east of Ukraine — who managed to call him on his backup phone, through a different provider, through their neighbors.
“Kyivstar is the largest mobile operator, so the fact that it stopped working was felt by absolutely everyone,” Kadirov said in an online chat. “Terminals do not work, many stores only accept cash. Something reminded me of the beginning of a full-scale war, but there was no longer that fear. We will endure everything. We have the only way to stop this, so we continue to study and volunteer for the victory of Ukraine!”
Updated Dec. 13, 2023: This article has been updated to include comment from John Hultquist.