Cyber Incident Victim: Triolan
Date:
Feb 2022
Location:
Ukraine
Summary
A major Ukrainian internet provider suffered severe cyber attacks coinciding with the Russian invasion, causing widespread outages by resetting critical networking devices to factory settings and disabling key network nodes. Restoration efforts were hampered by physical infrastructure damage from ongoing bombardment, requiring manual intervention. The provider partially recovered services across multiple cities but faced continued disruptions. These incidents aligned with broader attempts to degrade Ukrainian communications, though resilient infrastructure prevented nationwide blackouts. The attacks aimed to disrupt information flow amid the invasion, while the provider publicly attributed the sabotage to hostile actors and prioritized network recovery despite operational challenges.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Triolan, a major Ukrainian internet service provider, experienced significant cyber attacks coinciding with the onset of Russia's invasion on February 24, 2022, causing severe internet outages across its network. The provider reported another major disruption on March 9, 2022, with attackers resetting internal networking devices to factory settings, disabling key network nodes. Physical restoration efforts were impeded by ongoing Russian bombardment in areas requiring hardware access. Internet monitoring firms, including Kentik and Georgia Tech’s Outage Detection and Analysis Project, confirmed widespread outages affecting multiple regions served by Triolan during these incidents. The company suspended services for one day to verify system functionality while working to restore connectivity. By March 9, Triolan had reactivated approximately 70% of internet nodes in seven cities, including Kyiv, Kharkiv, and Odesa, announcing via Telegram its efforts to fully resume operations despite persistent attacks.
The cyber attacks occurred alongside broader disruptions to Ukrainian telecommunications infrastructure, including multiple outages at Ukrtelecom, another major provider. Triolan attributed the incidents to deliberate attempts to sever communications, labeling them part of the enemy’s strategy to damage infrastructure and isolate civilians. While Russia had conducted distributed denial-of-service (DDoS) attacks against Ukrainian government websites since February 23, these efforts failed to completely disable national internet access due to network resiliency. The bombardment of Kharkiv—where Triolan operates—further complicated recovery by damaging physical infrastructure. Restoration priorities focused on maintaining connectivity for civilian communications and countering Russian disinformation, with the company emphasizing its role in preserving Ukraine’s information warfare capabilities amid ongoing hostilities.