FlashREPORT

Ukraine FlashREPORT: Ukraine Kyivstar Network Cyber Attack Disruption

Kyivstar Cyber Attack DEC 2023

Global Network Image

Date: 13 DEC 2023
Analysts: ML,MF

Executive Summary

The cyberattack on Kyivstar, Ukraine's largest telecommunications provider, on December 12, 2023, coinciding with a massive airstrike involving a combination of missiles and drones, represents a complex and concerning escalation in hybrid warfare tactics. This incident highlights the integration of conventional military strikes with cyber warfare, underscoring the evolving nature of modern conflicts.

In the case of Kyivstar, the cyberattack led to significant service disruptions for approximately 25 million users. This impact is particularly critical considering the vital role of telecommunications in disseminating air attack alerts, thereby directly affecting the safety and security of millions of individuals. The decision by Kyivstar's operators to shut down the system to prevent further damage, while necessary, exacerbated the challenge of maintaining effective communication during a time of crisis.

As of December 13, 2023, the situation remains precarious with the roaming network offline and only limited access to landline services. The uncertainty regarding the timeline for full restoration of services adds to the complexity of the situation. While Kyivstar officials have assured that personal data of users has not been compromised, the overall impact of the cyberattack, combined with the physical airstrikes, creates a multifaceted security challenge.

The attribution of the cyberattack is still under investigation. Although a self-proclaimed Pro-Russian 'hacktivist' group has claimed responsibility, Ukrainian officials suggest the involvement of Russian security services. This ambiguity in attribution is a common characteristic of cyber warfare, often leading to challenges in formulating appropriate responses and strategies for prevention and retaliation.

From a risk management perspective, this incident underscores the importance of integrating emergency and contingency communications resources and planning is a critical aspect of risk management, particularly in the context of hybrid threats, as exemplified by the cyberattack on Kyivstar amidst physical military strikes.

For organizations operating in regions with heightened risk profiles, such as Ukraine, a comprehensive approach that integrates cybersecurity with traditional security measures is essential to mitigate the risks associated with such hybrid warfare tactics.

Situation Report

Infrastructure and Utilities

The cyberattack has led to the deprivation of internet, navigation, communication, and ATM services for more than 25 million Ukrainian citizens. Although it is reported to have no direct impact on the military, the compromise of public safety is evident as Kyivstar, responsible for disseminating Air Attack Alerts to a significant portion of the population, faces disruptions. Business and financial hubs have reported substantial service disruptions owing to internet outages and communication restrictions, with some banks noting a loss of ATM services. 

National and International Response

Ukraine's state cybersecurity agency (SSSCIP) stated  that "relevant services," including Ukraine's computer emergency response team (CERT-UA), are actively investigating the incident. Kyivstar parent company, Netherlands-based VEON, confirmed in a news release that the incident was indeed a "hacker attack." and confirmed that they are working with international law  enforcement agencies to identify those responsible for the attack. 

Kyivstar CEO  confirmed that hackers had penetrated "a part of the operator's internal systems." The company is working to implement "duplicate systems" to address the breach. The decision to completely shut down the Kyivstar system was a collaborative effort between Ukrainian security forces and the operator, aimed at "localizing" the impact of the cyberattack. Kyivstar hopes to have restored landline services by the end of 13 December with other services restored in the coming days. 

The impact on air attack alarms has been addressed in the short term by the use of loud speakers to relay warnings to the public, however many citizens have been changing to Vodafone to provide alternative connectivity. 

Historic Context

Kyivstar verified that hackers have previously attempted to target the company, but this marks the first instance of them successfully disrupting services. While cyber attacks on Ukrainian infrastructure are a common occurrence, the majority are inconsequential, with services either unaffected or quickly restored.  In the initial stages of the Russian invasion in February 2022, ViaSat experienced a cyber attack that disabled thousands of satellite internet modems throughout Europe, leading to significant communication losses across Ukraine.

Recommendations

In light of the increasing cyber threats in the region, it is imperative for both organizations and individuals who are operating, journeying, or living within the vicinity to exercise heightened vigilance in their digital security measures. This encompasses a comprehensive approach to protecting sensitive data and information resources from potential breaches.

To enhance preparedness, all organizations with operations and personnel in Ukraine are strongly encouraged to rigorously update their existing communication contingency plans. This should include regular reviews and revisions to ensure that emergency protocols are robust and can withstand the challenges posed by cyber threats. Additionally, there is an emphasis on bolstering security awareness across all levels of operation. Personnel should be committed to continuous education and training in cybersecurity best practices, thus fostering a culture of proactive defense against cyber incursions.

In anticipation of possible disruptions to standard communication channels due to cyber attacks, it is advisable to explore and implement alternative communication methods. This could involve investing in satellite communication devices that provide reliable connectivity independent of terrestrial networks. Furthermore, securing additional SIM cards or engaging alternate cellular data providers can offer valuable redundancy. Specifically, acquiring Vodafone SIM cards has been identified as a prudent strategy for maintaining uninterrupted network access. These SIM cards can serve as an effective backup network option, ensuring that communication remains possible even in the event of targeted cyber attacks on primary service providers.

By taking a few of the above precautionary steps, organizations and individuals can significantly mitigate the risk of cyber threats, and conflict-initiated service interruptions, and take steps to ensure the continuity of their operations and personal safety in an increasingly digitally reliant world.

Cyber Safety Guidelines for Personnel

Despite the recent cyber attacks being aimed against national infrastructure, individuals and companies working in Ukraine are advised to continue taking measures to safeguard against cyber attacks and service interruptions and should consider implementing the following cybersecurity measures:

  • Employee Training: Conduct regular cybersecurity awareness training for staff to educate them about potential threats, phishing attacks, and safe online practices. Awareness is often considered the first line of defense in cybersecurity.

  • Use Strong Passwords: Enforce the use of complex, unique passwords for all accounts, and encourage regular password changes.

  • Enable Two-Factor Authentication (2FA): Implement 2FA wherever possible to add an extra layer of security to accounts and systems.

  • Regular Software Updates: Keep all operating systems, applications, and software up-to-date to patch vulnerabilities that could be exploited by attackers. Ensure frequent updates on both mobile and desktop devices.

  • Firewalls and Network Security: Configure firewalls to filter incoming and outgoing traffic, and implement network security measures to monitor and control network access.

  • Install Antivirus Software: Deploy reputable antivirus and anti-malware software to detect and remove malicious threats.

  • Data Encryption: Encrypt sensitive data, both in transit and at rest, to protect it from unauthorized access.

  • Access Control: Limit access to systems and data based on job roles and responsibilities, and promptly revoke access for employees who no longer require it.

  • Backup Data Regularly: Implement a regular backup strategy for critical data to ensure quick recovery in the event of a ransomware attack or data loss.

  • Incident Response Plan: Develop and regularly test an incident response plan to efficiently and effectively respond to a cyber attack, minimizing potential damage.

  • Monitor Network Activity: Use intrusion detection systems and security information and event management (SIEM) tools to monitor network activity for signs of unusual behavior.

  • Secure Wi-Fi Networks: Ensure that Wi-Fi networks are encrypted, use strong passwords, and consider using a separate network for guests.

  • Phishing Awareness: Educate employees about phishing threats, and implement email filtering systems to reduce the likelihood of phishing emails reaching inboxes.

  • Vendor Security: Assess the cybersecurity practices of third-party vendors and partners to ensure they meet security standards and do not pose a risk to your organization.

  • Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and address potential weaknesses in your systems.

  • Use of Robust VPN Service: Implement a robust Virtual Private Network (VPN) service to secure internet connections and protect sensitive data, especially when using public networks.

  • Utilizing Satellite Devices: Consider incorporating satellite communication devices for remote or high-risk areas to ensure continuous communication, especially where traditional networks are unreliable.

  • No-Communications Plan: Establish a no-communications plan to prepare for potential communication blackouts, outlining protocols for maintaining operations and security during such events.

  • Social Engineering Awareness: Train staff to recognize and respond to social engineering attempts, such as pretexting, baiting, and tailgating, to prevent unauthorized access to sensitive information and systems.

By adopting a comprehensive cybersecurity strategy that combines technical solutions, employee training, and proactive measures, organizations can significantly reduce the risk of falling victim to cyber-attacks and be more prepared for temporary and extended communication service interruptions. 

RileySENTINEL

Our RileySENTINAL regional, country and situation reports, developed and provided by Riley Risk resources in strategically positioned locations, provide comprehensive updates and in-depth analysis of high-risk environments and events.

This reporting and analysis support enables our clients to access timely and pertinent on-the-ground information, bolstering their decision-making capabilities in volatile operational contexts. 

Reach out to us today using the engagement meeting link here to learn more about how our risk advisory services can bolster your business operations and help you accomplish more!

© 2023 RileySENTINEL. All rights reserved. No part of this report may be reproduced or transmitted in any form without prior written permission from Riley Risk, Inc.