Infrastructure damage reached 40%. During the hour-and-a-half cyberattack, hackers severely damaged the virtual layer of the IT network.
This was announced during the annual event of NV “Ukraine and the World Ahead 2024” by Kyivstar President Oleksandr Komarov. He compared the cyberattack to the Hamas terrorist attack on Israel.
The president on the attack on Kyivstar
“The first goal was to destroy the infrastructure as much as possible and sow chaos. The destruction of the infrastructure was 40%. The network layer was very much destroyed,” Komarov said.
According to him, the radio fixed network in the fields covers tens of thousands of objects, the mobile network – 15 thousand objects, and the fixed network – 80 thousand objects throughout Ukraine. Then there is a transit network, and above it is a virtual IT network that manages both services and the corporation.
“The biggest blow was to the virtual layer of the network. A lot of servers were destroyed, a lot of data was erased. The customer database was completely erased. These are not customer profiles, they are internal profiles that help the system,” Komarov said, emphasizing that about a thousand people were involved in the recovery operation.
The version from the experts
Cyber security specialist Konstantin Korsun believes that Kyivstar’s cyber team is highly skilled and that this was a carefully planned operation.
“Such cyber operations are prepared for months (sometimes years), and include social engineering, botnets, expensive highly specialized specialists, even more expensive exploits, and budgets for this class of operations can be in the millions of dollars. That’s why such attacks are an expensive piece of goods, they cannot be massive a priori,” Korsun says.
There are still two unanswered questions:
- Why did the attack take place on December 12 (because Russians like “sacred” dates)?
- Why, having full access to the system’s “core,” did the criminals choose the stupidest of all possible options – total destruction of everything?
A fairly logical version of the argument was presented by Oleksiy Semenyaka, External Relations Officer at RIPE NCC:
It is known that back in 2013, the software for Kyivstar’s internal accounting systems was developed by the Russian company Peter-Service (now Nexign), which is part of Alisher Usmanov’s holding and actively cooperates with the security forces of the aggressor country.
In 2015, the then owner of Kyivstar, Vimpelcom, planned to switch to Ericsson software, with the expected contract amounting to about $1 billion. But something went wrong, and in 2017, the contract was canceled, with Ericsson paying $350 million in compensation.
In 2021, when Vimpelcom became VEON and its Russian shareholders were sanctioned, negotiations with Ericsson resumed, especially after February 2022. Therefore, when the Kyivstar software developer felt that he was about to be replaced, he used his access to the products he had developed to completely destroy them in the company’s internal networks. Or he transferred these accesses to his patrons from the FSB-group, who organized a “hacker attack.” And it happened on the 10th anniversary of the company’s cooperation with KC.
“Observations of this incident at Kyivstar made me suspect that the attackers disrupted both the BSS (customer service) and RAN (radio access network), which are very different systems of the telecom operator,” Semenyaka said. – “The BSS of each operator is a special and unique ensemble, in which it is not so much difficult to change something as to navigate it. And its destruction, even partial, is a huge problem for this operator.”
According to him, there is still a possibility that at the time of the incident some of Peter Service’s systems were still operating at Kyivstar. Of course, they are inaccessible from the outside, but if hackers have already penetrated the perimeter, these elements are within reach. The product has “technological bookmarks” and “service accesses” that allow a third party (in this case, hackers) to gain control over them.
And this may be the answer to how the attackers got inside Kyivstar‘s heterogeneous systems: they could have a lockpick to one of them, and access to the second was provided by the rights of the “escaped” account.