Cyber Incident Victim: Kyivstar
Date:
Dec 2023
Location:
Ukraine
Summary
Ukraine's largest mobile operator experienced a major cyberattack that severely disrupted services for millions of subscribers, partially destroyed IT infrastructure, and compromised critical air raid alert systems in multiple regions. The company's CEO attributed the incident to wartime cyber hostilities, with Ukrainian intelligence investigating potential Russian state involvement, while a Russian hacktivist group claimed responsibility without evidence. The attack caused widespread communication outages, impacted banking operations, and was characterized as destructive rather than financially motivated, aligning with broader conflict-related disruption objectives. Services were partially restored within a day, though full recovery efforts continued amid concerns over civilian safety during aerial threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 12, 2023, Ukraine’s largest mobile operator Kyivstar experienced a major cyberattack described by its CEO Oleksandr Komarov as the most significant since Russia’s full-scale invasion began in February 2022. The attack partially destroyed the company’s IT infrastructure, forcing a physical shutdown of systems to limit further unauthorized access. Services for Kyivstar’s 24.3 million mobile subscribers and 1.1 million home internet users were disrupted nationwide, preventing customers from making calls, accessing the internet, or using satellite navigation. Critical civilian infrastructure was impacted, with air raid alert systems disabled in parts of Kyiv and over 75 surrounding settlements, depriving residents of digital warnings for potential Russian aerial attacks. The outage also affected ATMs and payment terminals operated by major Ukrainian banks PrivatBank and Oschadbank. Concurrently, Ukrainian payment system Monobank reported a separate distributed denial-of-service (DDoS) attack, which it later contained.
Kyivstar initiated immediate containment measures by physically disconnecting systems, with partial restoration of fixed-line services achieved by late December 12. Company technicians worked to fully restore operations by the following day. Ukraine’s SBU intelligence agency launched an investigation into potential Russian state involvement, citing historical patterns of cyber aggression. An unnamed source close to Ukraine’s cyber defense agency attributed the attack to a state actor based on network traffic analysis showing Russian-controlled origins, emphasizing the attack’s destructive intent rather than financial motives. Komarov stated no customer data was compromised but acknowledged the attack’s operational severity, suggesting possible objectives aligned with wartime disruption—including undermining President Zelenskiy’s diplomatic visit to Washington, exacerbating energy shortages, or demoralizing civilians. Russian hacktivist group Killnet claimed responsibility without substantiating evidence. Parent company Veon confirmed ongoing impact assessments while maintaining military communications remained unaffected throughout the incident.