Cyber Incident Victim: Monobank
Date:
Dec 2023
Location:
Ukraine
Summary
Ukraine's largest mobile operator suffered a major cyberattack that partially destroyed its IT infrastructure, causing nationwide service outages and disrupting air raid alert systems critical for civilian safety during wartime. The company's CEO attributed the incident to Russian cyber warfare, with Ukrainian intelligence investigating potential state involvement, while a Russian hacktivist group claimed responsibility without evidence. Concurrently, a leading Ukrainian payment system experienced a separate distributed denial-of-service attack that was successfully mitigated. The telecom outage also temporarily affected banking services, including ATM and card terminal operations at major financial institutions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 12, 2023, Ukraine’s largest mobile operator Kyivstar suffered a massive cyberattack that partially destroyed its IT infrastructure, marking the most significant cyber incident since Russia’s full-scale invasion began in February 2022. The attack disrupted mobile and fixed-line services for Kyivstar’s 24.3 million mobile subscribers and over 1.1 million home internet users, severing critical communications nationwide. CEO Oleksandr Komarov confirmed the operator physically shut down its systems to contain the breach after failing to counter it virtually, describing the incident as a direct consequence of the war with Russia. The outage impaired air raid alert systems in Kyiv and over 75 surrounding settlements, forcing authorities to use loudspeakers for aerial danger notifications. Millions of Ukrainians lost access to mobile alerts warning of potential Russian air assaults, creating immediate safety risks. Vodafone stores saw increased demand as customers sought alternative connectivity, while banking institutions like PrivatBank and Oschadbank reported ATM and terminal disruptions linked to Kyivstar’s downtime.
Concurrently, Ukrainian payment system Monobank experienced a distributed denial-of-service (DDoS) attack, as disclosed by its co-founder via social media. Monobank confirmed the attack was underway but asserted operational control, later announcing successful mitigation. The incident occurred alongside the Kyivstar breach and President Zelenskiy’s visit to Washington, which Komarov suggested might have been a motivating factor for the timing of the attacks. Ukraine’s SBU intelligence agency and a source close to the national cyber defense agency indicated Russian state involvement in the Kyivstar attack, citing traffic patterns consistent with Russian-controlled infrastructure and the purely destructive nature of the intrusion. Killnet, a Russian hacktivist group, claimed responsibility for Kyivstar’s disruption without evidence, though investigators emphasized the attack’s sophistication pointed to state sponsorship. Kyivstar worked with law enforcement and parent company Veon to restore services, partially reinstating fixed-line connectivity by late December 12 while aiming for broader recovery by the following day. No customer data compromise or financial ransom demands were reported in either incident.