For days, the largest Ukrainian telecom provider battled against a telephone and internet outage. This is probably due to an attack by Russian military intelligence.

In recent days, several million subscribers in Ukraine have had their mobile connections disrupted due to a cyber attack.

Hennadii Minchenko / Imago

A hacker attack on Ukraine’s largest mobile phone provider, apparently controlled from Russia, has caused major problems for the population over the last three days. Most of Kyivstar’s 24 million customers were only able to access the Internet again on their mobile phones on the go on Friday morning, according to the company.

The country is highly digitalized and most services work via mobile phones. There were problems, for example, with the connection to banks and postal services. The system that warns the population of Russian air strikes was also affected: According to a UN report, there were failures in eighty towns. Without a data connection, the warning app on cell phones that run on the Kyivstar network also did not work.

The deputy head of Ukrainian military intelligence Andri Yusov spoke of a “repetition and continuation of terrorist practices against civilian infrastructure” by Russia. The army is less affected because it has other communication channels at the front. The armed forces there rely heavily on the Starlink satellite system. However, it is also clear that the soldiers use civilian networks to communicate with each other and with their relatives.

Military intelligence repeatedly attacks infrastructure

There is no doubt that Russia was responsible for the cyber attack. The Ukrainian cybersecurity agency SSSCIP refers to a letter of responsibility that the Solntsepjok group published on Telegram. Screen recordings can also be seen there that are intended to prove the intrusion into Kyivstar’s IT systems. Their authenticity cannot be verified externally.

According to Ukrainian authorities, Solntsepjok is a front organization for the Russian military intelligence service GRU Connections to the Sandworm cyber unit. When asked, the IT security company Mandiant writes that the Solnzepjok group was probably invented by the GRU in order to conceal operations from the public. Microsoft at least assumes that Solnzepjok and Sandworm will work together.

It seems highly plausible that the Sandworm group is behind the attack. This unit of the GRU is notorious for its attacks on civilian infrastructure, especially the power supply. Most of these cyberattacks in Ukraine are carried out by Sandworm.

The attack on Kyivstar’s IT system is likely to be the most serious cyber attack on civilian infrastructure trading since February 24, 2022. In the first weeks after the Russian invasion, a cyber attack disrupted communication via the Viasat satellite system. The Ukrainians were able to fend off attempts to cut off the power supply.

Hacker attacks without a direct military aim

Of note is a cyber attack on the Ukrainian power grid in autumn 2022, which only recently became public and is also attributed to Sandworm. The attackers managed to switch off the power in several substations. It is not known how many people were affected. That attack occurred at the same time as intense Russian missile attacks on the energy supply. Russia’s goal was to wear down the population in Ukrainian cities. The actions did not have a direct military goal.

The attack on Kyivstar shows a parallel here. A direct military benefit is not apparent. On the other hand, it is clear that it coincides with an intensification of attacks on large Ukrainian cities with rockets, cruise missiles and drones. There have been smaller and larger attacks every night this week. The simultaneous paralysis of the mobile Internet increases uncertainty among the population.

The problems with the air raid warning systems indicate that some of them run digitally via Kyivstar servers. There have also been strange delays in the last few days: the sirens in Kiev only went off after the defense systems had already shot down their targets. However, whether there is a connection with the presence of hackers in the systems remains speculative.

Have the hackers spied on the system before?

Kyivstar’s IT systems were considered well secured. The Ukrainian cybersecurity expert Olexi Baranowski therefore assumes that preparation time will take several months. Kyivstar undoubtedly suffered losses as a result of the attack, but the ratio of effort and return is hardly correct for the attackers, if they are connected to the GRU. “Does the attack have an impact on the Ukrainians’ ability to defend themselves? No,” says Baranowski firmly.

Also a former deputy director of the SSSCIP, Viktor Schora, asks on X, why the Russians damaged the infrastructure instead of spying on Kyivstar’s data in the long term. However, it is not at all certain that the attack was not primarily about espionage.

It is conceivable that the attackers have been in Kyivstar’s IT systems for a long time and have accessed information. Only when they had to assume based on technical information that they had been discovered did they possibly activate malware.

Only the technical investigation into the incident will show whether such a scenario is plausible. At least it is known that, according to the Ukrainian secret service SBU, the Sandworm group has repeatedly made attempts to spy on military communications infrastructure and the positions of army units since spring 2023.