Overview

QiAnXin Threat Intelligence Center has observed a recent targeted network attack on Kyivstar, the largest mobile network operator in Ukraine, resulting in service interruptions affecting users across the country. A Russian hacker group has claimed responsibility, and investigations are underway, suggesting a possible connection to the Sandworm APT group. Based on publicly available information, we have compiled relevant details of the attack and its impact.

Kyivstar Attack Event

（1）Kyivstar Faces Network Attack

On December 12, 2023, Kyivstar, Ukraine's largest mobile network operator, reported a network attack causing service disruptions ^[1], affecting millions of users and posing risks such as the inability to receive potential Russian airstrike alerts.

The CEO of Kyivstar attributed the attack to the ongoing conflict with Russia, stating that the infrastructure had been severely damaged, leading to restricted access. In response to the attack, Kyivstar had to physically shut down its operations to limit enemy access ^[2].

NetBlocks organization observed a significant drop in Kyivstar's network connectivity on December 12, confirming the impact of the network attack.

(2) Russian Hacker Group Claims Responsibility

he specific identity of the attackers is currently unknown, but two hacker groups have made related statements.

The credibility of Solntsepek's claim appears higher. Pro-Russian hacker group Killnet claimed responsibility for attacks on Ukrainian mobile operators and banks on December 12 but did not specify the targeted entities or provide details or evidence ^[3].

On December 13, the Russian hacker group Solntsepek claimed full responsibility for the Kyivstar network attack, releasing screenshots of compromised Kyivstar systems ^[4].

Solntsepek claimed to have disrupted 10,000 computers and over 4,000 servers. Kyivstar later refuted these claims as rumors on its official Twitter account ^[5].

Solntsepek's five publicly released screenshots involve various server management interfaces, with one mentioning an Exchange server domain related to Kyivstar, "excg2019-dgt01.kyivstar.ua."

(3) Ukraine Initiates Investigation

The specific tactics used by the attackers are currently unknown, but Solntsepek's statement on December 13 implies a possible involvement of Kyivstar employees in the attack ^[6]].

On December 13, the State Special Communications and Information Protection Service of Ukraine (SSSCIP) issued a notice, stating that CERT-UA and the Security Service of Ukraine (SSU) are investigating the network attack ^[6], which resulted in the blockade of essential technical services, causing multiple service interruptions.

(4) Kyivstar Gradually Restores Services

Kyivstar announced on Tuesday night that fixed telephone services had partially resumed, with efforts to restore other services by Wednesday ^[1].

On the night of December 13, mobile services were restored in some regions of Ukraine, while others remained affected. Kyivstar's CEO mentioned a gradual and cautious restoration of the network due to potential difficulties.

Impact of the Event

Kyivstar, as Ukraine's largest mobile operator, serves over 24.3 million mobile users and over 1.1 million home internet users, representing over half of Ukraine's population. The network attack on December 12 caused multiple service interruptions, with full recovery still pending as of the night of December 13.

NetBlocks monitoring data indicates that all regions within Ukraine experienced service interruptions from Kyivstar, with the capital region being the most severely affected. Affecting the network alarms and banking sector ^[9].

After a brief restoration on December 13, Kyivstar's network connectivity experienced a decline ^[10] and maintained a low connection status ^[11], indicating ongoing challenges in restoring network services.

Kyivstar officials assured that user personal information was not affected by the attack ^[12].

The hacker group Solntsepek stated that their motivation for the action was Kyivstar's provision of communication services to the Ukrainian armed forces, government agencies, and law enforcement. However, Ukraine claims that the Kyivstar system malfunction did not impact the Ukrainian military, as they use a different connection system ^[13].

Attacker Group Information

Foreign media reports ^[14]on the Kyivstar attack reference opinions from Ukraine's SSSCIP and Mandiant, suggesting a connection between the Solntsepek group and the Sandworm APT group.

Reference link

[1]. https://www.reuters.com/technology/cybersecurity/ukraines-biggest-mobile-operator-suffers-massive-hacker-attack-statement-2023-12-12/

[2]. https://twitter.com/netblocks/status/1734550734824214858

[3]. https://t.me/killnet/23

[4]. https://t.me/s/solntsepekZ/1283

[5]. https://twitter.com/TwiyKyivstar/status/1734885432029028540

[6]. https://understandingwar.org/backgrounder/russian-offensive-campaign-assessment-december-13-2023

[7]. https://cip.gov.ua/en/news/fakhivci-cert-ua-doslidzhuyut-kiberataku-na-merezhu-telekom-operatora-kiyivstar

[8]. https://suspilne.media/638838-mobilna-mereza-kiivstaru-zapracuvala/

[9]. https://twitter.com/netblocks/status/1734609057707888746

[10]. https://twitter.com/netblocks/status/1734673235281600537

[11]. https://twitter.com/netblocks/status/1734931981819895959

[12]. https://twitter.com/TwiyKyivstar/status/1734885428891988191

[13]. https://nv.ua/ukr/sboy-v-rabote-kievstar-ne-povliyal-na-deystviya-ukrainskih-voennyh-suhoputnye-voyska-50375823.html?utm_source=telegram

[14]. https://www.wired.com/story/ukraine-kyivstar-solntsepek-sandworm-gru/