Inside the fight to fend off hackers at Ukraine’s largest telecom

Ukrainian mobile operator Kyivstar, which provides service to almost 26 million people, is fighting a barrage of Russian cyberattacks.

Inside the fight to fend off hackers at Ukraine’s largest telecom

The operator of Ukraine’s largest mobile phone network is fighting a two-front war: one on the ground and one in cyberspace.

Kyivstar serves around 26 million mobile customers in Ukraine and has been jumping from crisis to crisis since the Russian invasion on Feb. 24.

Russian rockets and other physical attacks have taken out almost 10 percent of its base stations. And in areas that have been taken back from Russian occupation, about 30 percent of the company’s infrastructure — including phone towers and lines — has been damaged, CEO Oleksandr Komarov said in an interview during a visit to Washington.

Meanwhile, phishing attacks attempting to infiltrate company networks have tripled, and attacks aimed at overwhelming company websites with online traffic have doubled, Komarov said. The “signaling channels'' that control routing of phone calls have also been targeted by hackers attempting to steal user data. Smaller Ukrainian companies that supply Kyivstar with equipment have also been attacked by Russian hackers eager to find a weaker link that could lead to an attack on Kyivstar.

"What we see is actually an increase in intensity and capacity — and partially creativity, all these three elements are in place,” Komarov said.

It’s an ongoing fight that shows the diligence required by Kyivstar to defend its critical systems from determined Russian attempts to impact and control communications in Ukraine. It’s also a battle that the U.S. is watching for lessons to protect its own vulnerable infrastructure from potential Russian cyberattacks.

That’s because so far, Kyivstar’s mobile services haven’t been significantly affected, according to Komarov. There have been a few exceptions: Some very important cell towers have been taken down, such as in the town of Mariupol soon after the invasion, and Mariupol is still under Russian occupation. But service across the unoccupied and reclaimed regions of Ukraine has largely kept going, he said.

Komarov said the company has accomplished this by instituting additional security measures (which he declined to detail) that have made it possible for employees to work from occupied territories. And the cyberstrikes haven’t caused any outages because the company’s dozens of IT professionals have been able to fend them off by putting in long hours and diligent monitoring despite increasingly dangerous conditions.

“Ten percent of our employees are working very close to the conflict,” Komarov said. “Somehow it’s based on the willingness of this nation to win.”

But on the cyber front, the company also has benefited from help from the Ukrainian government and private citizen counter-hackers, along with some hard-won experience from fighting off previous cyberattacks.

Komarov said the group known as the “IT Army” — which Ukrainian officials say numbers some 260,000 hackers — has been essential to the company’s defense. Kyivstar’s CIO and a number of other employees are involved in the group, which tries to infiltrate Russia’s critical infrastructure with counterattacks. These cyberstrikes have included attempted attacks to shut down the networks of Russia’s rail and electricity systems and an attack against Moscow’s Stock Exchange that temporarily brought down its website.

“Part of our success is because we are forcing Russians to defense,” Komarov said, noting that the IT Army is “creating this hassle on [the Russian] side, and it’s making them more weak because of this.”

That said, it’s unclear how much of a priority targeting telecommunications is for Russia as it concentrates on gaining and holding ground in Ukraine. But Russia has targeted cell towers and other communications systems in an attempt to control the flow of information out of besieged territories in mostly Eastern and Southern Ukraine. In addition to taking down base stations in Mariupol, Russian forces attacked a television tower in Kyiv in March, temporarily cutting off access for residents to television channels, and attempted to carry out a similar attack on a television tower in Western Ukraine weeks later.

Victor Zhora, the deputy chair of Ukraine’s State Service of Special Communications and Information Protection, a key Ukrainian cyber agency, stressed in an interview that the IT Army has no government connection, but also described the group as invaluable.

“Ukraine doesn't perform any offensive operations and does not coordinate the IT Army, but considering the level of destruction, the level of evil that Russia’s doing in Ukraine, we are grateful to all people that contribute to the weakening of our enemy,” Zhora said.

Zhora pointed to another countrywide effort that has helped Kyivstar and other companies fend off cyberattacks, such as an attack against a Ukrainian energy substation in April that would have turned off the lights for millions. He said that aid from the U.S. and other NATO nations has been invaluable in supporting Ukraine, including U.S. Cyber Command hardening Ukrainian networks against attacks.

Russia has conducted several high-profile cyberattacks on Ukraine, including an attack on energy infrastructure that could have disrupted power for millions of Ukrainians. Russian hackers also temporarily forced government websites offline and disrupted internet access at a key satellite company. But these have been relatively quickly repelled and are far less debilitating than many were expecting when Russia first started its incursion into Ukraine.

Part of that can be attributed to the years prior to the invasion that were spent in the virtual trenches. Ukraine suffered numerous attacks during the years after the Russian invasion of Crimea in 2014, including the NotPetya malware attack by Russian intelligence services that caused widespread outages of critical services in Ukraine, and caused billions of dollars in damages worldwide. More targeted attacks on Ukrainian energy infrastructure by Russia temporarily turned out the lights in parts of Ukraine in 2015 and 2016.

Kyivstar’s biggest incident took place last year before the invasion, when the company was hit by a two terabytes per second attack to overwhelm websites, the largest such “distributed denial of service” attack in the company’s history — and one that approaches the size of a similar cyberattack against Microsoft that last year, believed to be the world’s largest ever, that flooded websites of a Microsoft customer in Asia at 3 terabytes per second.

Kyivstar took steps to improve its cybersecurity following attempted Russian cyberattacks in the years before the invasion, including increasing the number of cyber personnel. The company employs more than 40 cybersecurity professionals now, up from 13 in 2014. Kyivstar also created a program to provide cyber protections to the vendors it contracts with, like help hunting for ways adversaries are trying to get in. The goal has been to become a “hub” for securing companies that don’t have resources on their own to step up cybersecurity, according to Komarov.

“They were painful years but there were lessons learned,” Komarov said. “From my perspective, one of the key factors why we are relatively successful is because it did not start on the 24th.”

U.S. companies simply haven’t had this trial by fire, though they have been on high alert for potential Russian cyberattacks along with other critical infrastructure sectors since the crisis in Ukraine began. Questions remain around whether these companies are prepared to face similar levels of attacks and keep service up and running.

Now, U.S. officials have begun approaching companies like Kyivstar for advice on how to handle Russian cyber aggression.

In July, Komarov was part of a Ukrainian delegation to Washington, D.C. that met with officials at agencies including the State Department on how to increase cooperation at the “business-to-business” level, noting that the “next priority” was creating this channel of dialogue between the U.S. and Ukraine to respond to cyber threats.

“I think we are live feedback for many agencies and for many people from the capital,” Komarov said. “People are rather interested in what we are saying and also in how we see the situation, the development, the risks, and the potential mitigation strategies.”

Cybersecurity and Infrastructure Security Agency Director Jen Easterly told reporters at the DEF CON conference in Las Vegas last month that “I think we can learn a lot by how they have evolved in their capability,” pointing to how Ukraine has fought off Russian cyberattacks.



These lessons will be needed as Russia appears to be changing its tactics on both the battlefield and in cyberspace in response to the unexpectedly strong Ukrainian resistance, such as ramping up attempted phishing email attacks on Ukrainian telecom providers and on public institutions. Those evolving strategies could pose a risk for U.S. companies as well.

“If our partners require some insights, require some advice on building defensive infrastructures, we would love to contribute to this experience and help our partners to remain strong in cyberspace,” Zhora said.