Content:
  1. What happened
  2. Why is this important?
  3. What's next

A major cyberattack brought down key services for millions of Ukrainians on Tuesday after hackers targeted the country's largest mobile operator, Kyivstar. Without telephone or internet access, subscribers reported disruptions to banking services through ATMs as well as public transportation payment systems and business equipment operations.

The carrier later confirmed that the cause of the failure was a powerful hacker attack.

LIGA.net spoke with experts, Ukraine's Security Service (SBU) and the State Special Communications Service to find out the reasons for the cyber attack.

What happened

As a result of the failure on Tuesday morning, Kyivstar subscribers lost the ability to make calls and use the mobile Internet. This also affected the work of businesses – banks (Oschadbank, PRAVEX BANK) warned customers about possible problems with ATMs and kiosks, in Lviv, the failure affected the operation of city lighting as Lvivsvitlo employees could not turn off the lights. In some cities, the failure of communication led to malfunctions of air raid sirens.

At a meeting with the media, Minister of Infrastructure Oleksandr Kubrakov expressed hope that Kyivstar will restore communication within four to five hours. Subsequently, Kyivstar confirmed that the operator became the target of a powerful hacker attack. At the same time, the CEO of the company, Oleksandr Komarov, said on national television that the term of the network's restoration is unclear.

After that, a neo-bank's co-founder Oleksandr Horokhovskyi reported a DDoS attack on Monobank, but it was quickly repelled.

According to Ukrainian MP Oleksandr Fediyenko, who chairs the Board of the Internet Association of Ukraine, the attack on Kyivstar may have exploited vulnerabilities in the operator's encryption software. He suggested the hackers could have used an encryption mechanism to breach Kyivstar's systems.

Why is this important?

On the scale of the whole of Ukraine, a corporate connection was lost, says Fediyenko. In his opinion, it is difficult to assess the consequences at this stage as they will be calculated only after understanding what exactly failed at Kyivstar, and what the losses were.

According to Fediyenko, the aim of the attack was to disrupt Ukrainian communications, steal data and sow chaos. "In my opinion, this is a sufficiently telling story, which points to failures to adequately shore up security perimeters around the mobile networks," the expert said. "All operators in the country should recognize that something like this can happen to them, too, and they should not relax."

The Security Service of Ukraine has opened a criminal investigation into the cyberattack under eight articles of the Criminal Code, according to a comment given to LIGA.net. These are the following articles:

• Art. 361 (unauthorized interference in the work of information (automated), electronic communication, information and communication systems, electronic communication networks);
• Art. 361-1 (creation for the purpose of illegal use, distribution or sale of malicious software or technical means, as well as their distribution or sale);
• Art. 110 (encroachment on the territorial integrity and inviolability of Ukraine);
• Art. 111 (treason);
• Art. 113 (sabotage);
• Art. 437 (planning, preparation, unleashing and waging an aggressive war);
• Art. 438 (violation of laws and customs of war);
• Art. 255 (creation, management of a criminal community or criminal organization, as well as participation in it).

One of the lines of inquiry currently being probed by SBU investigators is that the Russian special services may be behind the hacker attack. Immediately after the incident, an operational-investigative group of the SBU, which documents all the circumstances of the attack, went to the company's offices, the report says.

What's next

Fediyenko believes that, taking into account the scale of Kyivstar, the deadline for restoring the network may reach this evening. "It is necessary to clearly develop the depth of penetration of this attack," says the expert. "It is possible that Kyivstar applied a security protocol by turning off the network on its own. This is a normal practice." The operator can selectively turn off network segments in order to understand which is infected, which should be localized and 'treated'."

The State Special Communications Service agrees that it is too early to draw conclusions. "The investigation of the incident, which caused a technical failure in the operator's work, as a result of which communication and Internet access services are temporarily unavailable, is ongoing by the specialists of the relevant services. Among others, the specialists of the CERT-UA Government Computer Emergency Response Team are involved in this work ", the press service of the body told LIGA.net.