Cyber Incident Victim: Укртелеком
Date:
Mar 2022
Location:
Ukraine
Summary
A major Ukrainian telecommunications provider experienced the most severe cyberattack since the onset of the Russian invasion, causing nationwide service disruptions and collapsing connectivity to 13% of pre-war levels. The attack, described as "powerful" by the company, prompted government investigation but initially left uncertainty over whether it involved a DDoS or more sophisticated intrusion. Service degradation forced temporary restrictions for most private and business users to prioritize military and critical infrastructure connectivity, with restoration efforts beginning after the threat was neutralized. The incident exemplified ongoing cyber threats to Ukrainian telecom infrastructure, though most attacks during the conflict reportedly caused limited operational impact despite frequent targeting of critical sectors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 5 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 28, 2022, Ukrtelecom, Ukraine’s largest fixed-line telecommunications provider, suffered a major cyberattack described by Ukrainian officials and internet monitoring groups as the most severe incident of its kind since Russia’s invasion began in February. The attack caused nationwide service disruptions, collapsing Ukrtelecom’s connectivity to 13% of pre-war levels according to NetBlocks data. Victor Zhora, deputy head of Ukraine’s State Service for Special Communications and Information Protection, confirmed government investigation into the incident but noted initial uncertainty about whether it involved a distributed denial-of-service (DDoS) attack or a more sophisticated intrusion. Ukrtelecom acknowledged the incident only through Facebook responses to customers, attributing outages to a “powerful cyber attack of the enemy” that caused abnormal load and internal system failures. The company’s contact centers and social media channels became nonfunctional during the attack, leaving customers with automated messages promising restoration efforts.
NetBlocks director Alp Toker observed the gradual degradation of Ukrtelecom’s connectivity—a pattern inconsistent with physical infrastructure damage—indicating sustained targeting of the operator’s core systems. The attack persisted for multiple hours with extended nationwide impact, severely limiting the company’s ability to mitigate the disruption. Following containment efforts confirmed by Zhora’s office later that day, Ukrtelecom began restoring services while prioritizing connectivity for Ukraine’s Armed Forces and military formations by temporarily limiting access for most private and business users. This incident occurred amid broader cyber operations against Ukrainian infrastructure, including a prior attack on provider Triolan where hackers reset systems to factory settings. Ukraine’s CERT had documented 60 cyberattacks since the invasion began, with only four targeting telecoms and most causing minimal operational impact. Physical threats compounded these challenges, with telecom engineers routinely repairing bomb-damaged equipment in conflict zones like Kharkiv during the same period.