One of the Most Severe Cyberattacks to Date on the Telco Industry: The Attack on Kyivstar.
Author: Dr. Philipp Markert
Recently, Kyivstar, the largest mobile network operator (MNO) in Ukraine, was the victim of a serious cyberattack. This incident disrupted the entire network, affecting millions of users and sending a reminder of the vulnerabilities that MNOs face in times of conflict and war. Here's what is currently known to the public.
Last Tuesday (December 12, 2023), Kyivstar, which serves approximately 24 million people—nearly half of Ukraine's population—was hit by a major cyberattack. The attack left users without cell service and internet access. To put it in perspective, this outage is among the most severe ones ever caused by a cyberattack. Radix Security came across this in their ongoing efforts to analyze cyberattacks on the telecom industry.
To put it in perspective, this outage is among the most severe ones ever caused by a cyberattack.
In a video statement, the company's CEO, Oleksandr Komarov, revealed that it was "still not completely clear" when the company would manage to restore normal operations. After the attack, people switched operators to stay connected. In Kyiv, they lined up in droves to purchase SIM cards from Vodafone and Lifecell, the two other Ukrainian mobile network operators. This rush, in turn, caused delays to their services.
Interestingly, despite the implementation of a “national roaming” service by the Ukrainian MNOs, Kyivstar subscribers found this service unavailable during the crisis. Introduced last year in response to blackouts from Russian missile strikes, national roaming allows subscribers to switch operators when the base transceiver stations (BTS) of others are damaged or disconnected. The unavailability of this service during the attack suggests that the issue was not with the BTS, but likely with the core of Kyivstar's network. This theory was supported by a Lifecell spokesperson and several other sources, who concluded that the attack probably affected Kyivstar's core network.
领英推荐
The unavailability of this service during the attack suggests that the issue was not with the BTS, but likely with the core of Kyivstar's network.
In terms of recovery, the company initially anticipated needing several weeks to fully reinstate its operations. Yet, on Wednesday (December 20, 2023), all services were reported to be running again.
One of the most intriguing aspects of this incident is the method the hackers used to carry out the attack. Reports suggest that the cybercriminals exploited an employee's compromised account. How they gained access to this account is currently the subject of an ongoing investigation.
Despite the precise attack vector, this incident shows that wartime significantly intensifies the focus on the telecom industry and demonstrates the dependency on mobile networks. Therefore, we should prioritize network hardening as a preventive measure in our industry.
For more information on the Kyivstar cyberattack, please refer to the following sources: The Record, Reuters 1, Reuters 2, Reuters 3.
RSSI
1 年For such attacks it is quite easy for an attacker to bypass #2FA with #SMS because of several weaknesses. - Core vulnerabilities because of SS7 that are often neglected but not only - #RAN / #Radio vulnerabilities due to poor ciphering such as #A5/1 that is used more than 90% of the time - Poor #roaming configurations causing non ciphered communications on mobile networks are unfortunately common case today. Several critical networks relies on #SS7 and #GSM such as any telecom network but also critical systems such as 2FA using SMS but also #ERTMS. #Risk #Cyber #GSMR While analyzing such attacks with unclear #MFA bypass, we have to mind about these weaknesses that are almost always forgotten in risk management because of too much confidence made on mobile networks and SMS services.