Ukraine’s national telecommunications provider has been hit by a significant cyber-attack, leading to the “most severe” disruption to internet connectivity in the region since the start of the conflict with Russia.
Ukrtelecom, the country’s biggest provider of fixed internet in terms of geographic coverage, confirmed the incident yesterday and said it is gradually restoring connectivity after successfully mitigating the attack.
The telecommunications provider explained it temporarily restricted access to private users and businesses to ensure internet services to critical infrastructure and armed forces were not interrupted. In a statement, Ukrtelecom’s chief executive Yuriy Kurmaz wrote: “In order to protect the critical network infrastructure and not interrupt services to the Armed Forces, other military bodies and users of critical infrastructure, we were forced to temporarily restrict internet access to most private users and business customers.”
The State Service of Special Communication and Information Protection of Ukraine (SSSCIP), the nation’s technical security and intelligence service, blamed the attack on “the enemy,” Russia. Yuriy Shchygol, head of the SSSCIP, said several cities were lost connectivity last night, including Berdyansk and Melitopol.
Global internet monitor Netblocks reported that the attack was the “most severe” disruption to internet service in Ukraine since the Russian invasion began in late February, with connectivity dropping to 13% of pre-war levels. In a series of tweets, it wrote: “Ukraine’s national internet provider Ukrtelecom has confirmed a cyberattack on its core infrastructure. Real-time network data show an ongoing and intensifying nation-scale disruption to service, which is the most severe registered since the invasion by Russia.”
⚠️ Update: Ukraine's national internet provider Ukrtelecom has confirmed a cyberattack on its core infrastructure.
— NetBlocks (@netblocks) March 28, 2022
Real-time network data show an ongoing and intensifying nation-scale disruption to service, which is the most severe registered since the invasion by Russia. https://t.co/syej0wABYO
Commenting on the story, Toby Lewis, head of threat analysis at Darktrace, said: “It is no surprise that a major internet provider has been targeted. Interrupting telecommunication infrastructure is an expected practice for a military invasion and carries greater significance in a war being dubbed ‘World War Wired.’
“At this stage, we have minimal details, but the available network activity appears to show a gradual decline in connectivity, rather than a cliff-edge drop typical of DDoS or a ransomware attack at the core of the network. This would suggest a supply chain attack where endpoint devices such as home routers are slowly being taken out. We saw a similar attack on ViaSat that took place on the day of the invasion itself, and previously with the Solarwinds Orion campaign, where the real damage only occurred after updates or malicious configuration changes were pushed out to customers.
“Some of the outages we’re seeing may be a result of the incident response actions taken by Ukrtelecom. The provider is rightly prioritizing critical infrastructure over residential and commercial customers, which is likely to have heavy-handed consequences.”
There are fears this incident may signal an escalation in cyber-activities following the Russian invasion of Ukraine. So far, the cyber-dimension of the conflict has been relatively low-key, revolving around tactics like DDoS attacks and website defacements rather than attempting to take down critical infrastructure services. However, major wiper malware campaigns were found to be targeting government, IT and non-profit organizations across Ukraine in the days before the invasion began.