No doubt, the new unprecedentedly devastating cyberattack on the biggest Ukrainian mobile operator Kyivstar will become the hottest topic in the cybersecurity domain.
From my point of view, based on the current (very stingy) info, we could assume the following scenarios:
1. The attackers penetrated Kyivstar’s network long ago, made undiscovered implants and activated them now.
2. They could use a phishing attack as a start and then move deeper in the network by privilege escalation
3. Taking into attention the depth of the attack, we can assume that the attackers had someone among the company staff who — willingly or unwillingly — assisted them in infecting the internal network.
4. The company has not kept to the required security measures ( it can be assumed because of the fact that the company website has not been available for a long time. If they had correctly saved backups, it would have taken a very short timespan to return the site to life again).
5. About the cyberweapon, I would assume that the attackers used some «ransomeware-as-a-weapon» like NotPetya, which the russian attackers used back in 2016 (it encrypts data on the attacked servers without a possibility to restore the info) or a kind of a wiper that just cleans up any data from the servers.
More precise conclusions can be made when we have more information available.
Photo: Ukraine’s top mobile operator hit by biggest cyberattack of war Reuters.com