UPDATE: Ukrainian telco Kyivstar has restored mobile internet services as well as voice services and fixed-broadband internet connectivity after its network was taken down by a massive cyberattack on Tuesday, but full recovery may still be a few weeks away.
In a Facebook post on Saturday, Kyivstar said that mobile internet for all services, including 4G, had been restored, with more than 95% of mobile network base stations in the territory controlled by Ukraine now active and working.
Kyivstar also said that international roaming services have also been restored as of Saturday.
Last Thursday, two days after the cyberattack, Kyivstar said it had restored voice service across the country, and that data connectivity on the fixed network is now active and available.
Kyivstar said that it is restoring other services gradually to avoid network congestion and to stabilise operations as they progress. The operator warned that the actual experience of customers will vary depending on various factors.
Kyivstar also advised customers that if their SIM card doesn’t connect with the mobile network, they’ll need to reboot their phone and find the network manually. They should also turn airplane mode on and then off again.
Kyivstar’s parent company Veon said in a statement that it has not yet been able to assess the full financial impact of Tuesday’s cyberattack as restoration of services continue.
According to Reuters, Kyivstar CEO Oleksandr Komarov said on national television Thursday that the operator hopes to have all voice, SMS and mobile data services fully operational by the end of the week. However, he added that restoring all other services could take several weeks.
The cyberattack – believed to be the largest in Ukraine since Russia invaded the country in February 2022 – knocked out services for all of Kyivstar’s 24.3 million mobile subscribers and over 1.1 million home Internet users. The attack also damaged IT infrastructure, silenced air-raid-alert systems in some parts of the country, and made shops unable to process credit card payments.
Whodunit?
Meanwhile, investigations are ongoing as to who is responsible for the cyberattack and how they managed to succeed.
On Wednesday, activist hacker group Sointsepek claimed credit for the cyberattack via Telegram, posting screenshots of stolen data to support their claims. However, the claim has not yet been verified by Ukraine’s Security Service (SBU), which has opened a criminal investigation into the attack.
John Hultquist, chief analyst for Mandiant Intelligence at Google Cloud, noted that Sointsepek regularly claims credit for the activity of Sandworm, which cybersecurity experts believe to be a persona fabricated by the GRU (Russia’s foreign military intelligence agency) to publicly launder their operations.
Hultquist said in an email that Sandworm is a preeminent, proven threat to critical infrastructure that has been responsible for the vast majority all known major disruptive cyberattacks.
“Russian actors like Sandworm have been probing telecommunications and other critical infrastructure in Ukraine since before the invasion began,” he said. “
Sointsepek also claimed to have destroyed a large number of computers and servers, but Kyivstar said on Facebook that this was a fake rumour.
Kyivstar also said that the screenshots posted on Telegram were “deliberately collected technological data” and not personal customer data. “We state with all responsibility that your personal data is safe!”
Even so, Yegor Aushev, co-founder of Cyber Unit Technologies, advised all Kyivstar customers to change their passwords at the first opportunity.
“It is not a bad idea to change passwords on the resources you use, if something happens that you don't understand. Data is being compromised regularly. We are in a state of war, including cyberwar,” he told New Voice of Ukraine on Thursday.
