After Kyivstar which telco's next?
Illia Vitiuk, head of the Security Service of Ukraine's (SBU) cybersecurity department told Reuters a few days ago that after penetrating and spying from within Kyivstar’s network for several months, the Russian cyber attack on the Ukrainian operator had concluded with major service outages. These, he said, "completely destroyed the core” of Kyivstar's network, wiping "almost everything", including thousands of virtual servers and PCs.
Russia’s army and navy may no longer be revered as they once were but the attack on Kyivstar reaffirms that Russia’s cyberwarfare units are still world class. Given how Russia outmanoeuvred what were no doubt heavily resourced cyber defences put in place by Kyivstar – likely strongly supported by U.S and other western cybersecurity experts too – just how implausible is it that another telco in Eastern Europe, the Baltics, the Nordics or even Western Europe will have its own core network “completely destroyed” by Russia in the next 12 months?
Other telcos are only somewhat less vulnerable
Telcos in other countries may be somewhat less vulnerable now than Kyivstar was a year ago. But I suspect the gap in their relative vulnerability is fairly small; I doubt it’s a yawning chasm. However warped, dishonest and deluded it is, Russia’s public justification for its war on the country is that Ukraine is “a threat”. Hence, in Russia’s narrative, cyberoperations not just for espionage campaigns and DDoS attacks but wholesale destruction of the country’s critical infrastructure are fully “justified”.
Sure, Russia doesn’t currently extend that logic to other countries. But just how much does that reduce the risk to telcos elsewhere in Europe? The key word in the previous sentence is ‘currently’. If the military situation on the ground remains locked in stalemate, Russia could ramp up its offensive cyber operations on other countries very quickly - as a response to internal or external pressures, whether they be real, imagined or knowingly fabricated. ?If the situation on the ground does change, that too could trigger a rapid change in posture towards other countries. Moreover, that heightened risk is probably much the same, irrespective of whether a change on the ground does or does not favour Russia. In other words, the fact that at this time Russia is “at war” with Ukraine but “not at war” with other European countries does reduce the risk of Kyivstar-like operations elsewhere - but not by all that much.
The SBU stated that the attack may have been rendered somewhat easier by the fact that Kyivstar used “similar infrastructure” to the Russian operator, Beeline. Both telcos were owned by the Dutch holding company, Veon, until last October when Veon sold Beeline to Russia's VimpleCom. It’s not clear from the reporting whether “similar infrastructure” refers to network design and build principles or whether it means the two telcos used the same primary network infrastructure vendor or vendors. In so far as it is significant at all, this may make operators in other countries a little less vulnerable ?- but again, only a little less.
No evidence of any insider help
Illia Vitiuk stated that there is no clarity at this point as to whether a Kyivstar insider was involved in enabling the attack. An initial bridgehead could just as easily have been achieved via a phishing link or something else, he said. Suppose there was insider involvement. Are politically-motivated individuals loyal to Russia more likely to have penetrated Kyivstar than another telco in another country? Maybe, maybe not. In any case, with enough money, loyalty can be bought anywhere. In terms of susceptibility to insider threats, I doubt there’s much difference between a Ukrainian telco and a German, Belgian or Polish one.
The hope has to be that the ongoing forensic investigation will yield detailed, step by step, evidence of the playbook that Russia used against Kyivstar. Then that intelligence can be quickly shared with cybersecurity leaders in telcos and other critical industries in NATO countries. The fact that so much of Kyivstar’s infrastructure is described by the SBU as having been “wiped” or “destroyed” suggests that arriving at a full picture of exactly what unfolded, how and when, may prove unusually challenging. Even access to an incomplete picture of the attack playbook puts others in a better position to defend themselves now than Kyivstar was a year ago, but again the gap is too small for comfort.
There are a couple of other considerations that should steer others towards recognizing that what is "unthinkable" in Europe need not be in Russia. The attack on Kyivstar was executed on very effectively, despite a high concentration of leading western cybersecurity experts being focused on defending Ukraine, its telcos and other critical infrastructure. Since the concentration of those world class resources is bound to be less in other countries, that must mean that against this metric, telcos in other countries today do not enjoy an advantage compared with Kyivstar a year ago.
领英推荐
Have others already been hacked but dont know it?
The right question, then, is perhaps not whether a telco in another country might be next. Considering that the attack on Kyivstar comprised a spying phase of several months, during which the attackers remained undetected, followed by a wholesale destruction of the operator’s core infrastructure, the bigger question is whether another European telco has already been hacked according to the same playbook but doesn’t even know it yet. I've no idea how likely that is but I wouldn't think it is entirely unlikely.
However significant it is, even the specific attack playbook that wreaked such damage on Kyivstar and Ukraine’s national security shouldn’t be an all-consuming preoccupation either. Whatever it is that Russia's cyber operations leaders came up with for Kyivstar, they’re entirely capable of mixing up the attack vectors and delivering something that can avoid detection against that playbook.
I’m no expert on Russia, nor on national security matters, nor on cyber forensics. I trust that the right things are being done by the west’s cyber defenders; but I can’t verify. I can, though, offer up this appeal to anyone who works for a European telecom operator, either as an employee, a partner, vendor or other subcontractor: if you’re doing pretty well in terms of your own adherence to cybersecurity guidelines, great, well done, and thank you.
But if you can, maybe see if you can build on that a little; review your own and your colleagues' and partners conducts and behaviours; and see if you can do just a little bit better too.
ENDS
Join me on June 11th and 12 for HardenStance's annual Telecom Threat Intelligence Summit, a virtual online event. Registration is free with a bona fide business email address. You can register here: https://events.hardenstance.com/
See also HardenStance's June 2022 White Paper: Defending Telecoms Against Nation State Cyber Threats
#kyivstar #kyivstarhack