Attack on Ukraine Telecoms Provider Caused by Compromised Employee Credentials
Russian hackers used compromised employee credentials to launch the cyber-attack that severely disrupted internet services in Ukraine last week, it has been claimed today.
Kyrylo Honcharuk, CIO of Ukrtelecom, Ukraine’s national telecommunications provider targeted in the attack on March 28, said Russia accessed the account of an employee in a region “recently temporarily” occupied, although the exact location was not disclosed.
Once they gained access, the hackers then tried to disable Ukrtelecom’s equipment and servers to gain control over its network and equipment. There was also an attempt to change the passwords of employees’ accounts and of logins to access equipment and firewalls.
The State Service of Special Communication and Information Protection of Ukraine (SSSCIP), the nation’s technical security and intelligence service, said the attack was detected within 15 minutes, and “Ukrtelecom’s IT specialists immediately took measures to counteract” it.
The service added that the Russian hackers attempted to compromise the credentials of other Ukrtelecom employees in the area. In addition, an attempt to analyze the telecom firm’s infrastructure was prevented by its SOC team, according to SSSCIP.
SSSCIP also revealed that Cisco, Microsoft and ISSP were involved in remediating the incident.
Head of SSSCIP, Viktor Zhora, said: “The promptness of eliminating this threat testifies to the high level of the network’s reliability and to the professionalism of Ukrtelecom’s team.”
The incident led to significant internet outages across Ukraine, with network traffic dropping to 13% of pre-war levels at one stage, according to global internet monitor Netblocks. Ukrtelecom restricted coverage to ensure there was no interruption to services for the armed forces and critical infrastructure. However, services were gradually restored, with full services returning within 15 hours of the initial attack.
The attack may indicate an increase in the targeting of Ukraine’s critical infrastructure as the country’s conflict with Russia approaches six weeks. SSSCIP claimed that 65 cyber-attacks targeted Ukrainian critical infrastructure between March 23 and 29, five times more than in the previous week.
“Ukrtelecom as part of Ukraine’s vital information infrastructure is in the focus of hackers’ attention all the time. We’ve been observing the increase in the number of cyber-attacks against our infrastructure since the very beginning of the invasion. The attack on March 28 was powerful and sophisticated,” commented Honcharuk.