Kyivstar Telecommunications Attack
December 2023
Executive Summary
Sandworm attack destroying the core network of Kyivstar, Ukraine's largest mobile operator serving approximately 24 million subscribers. The attack wiped network infrastructure and disrupted mobile communications, internet access, and air-raid alert systems across Ukraine for several days during active conflict.
Why This Matters
Kyivstar represented the most destructive cyber attack against a telecommunications provider during active conflict, demonstrating ICS-equivalent destructive capability against civilian communication infrastructure and disrupting life-safety warning systems.
Escalation Profile
7-Dimension Profile
Escalation Ladder
Phases
Network pre-positioning
Sandworm established access to Kyivstar's internal infrastructure months before the destructive phase.
Core network destruction
Wiper malware destroyed core network equipment including virtualization infrastructure, rendering the entire mobile network inoperable.
Cascading civilian impact
24 million subscribers lost mobile service; air-raid alert systems disrupted during active Russian missile campaigns; banking systems relying on SMS authentication affected.
Threshold Crossings
- •Largest cyber attack on a telecommunications company during an active armed conflict
- •Disrupted civilian emergency warning systems during wartime missile campaigns
Restraint Factors
- •Attack targeted a single operator, not all Ukrainian telecoms simultaneously
- •Service was restored within days through emergency measures
Attribution Assessment
Threat actor mapped to Russia based on infrastructure analysis, malware attribution, and operational patterns.
Evidence: Kyivstar: Statement on cyber attack and service restoration
- •Ukraine SBU formal attribution to Sandworm (GRU)
- •Allied governments cited Kyivstar in documentation of Russian wartime cyber operations
- •Emergency telecommunications support from allied nations
Sources: Ukraine SBU: Sandworm responsible for Kyivstar attack
No dedicated journalistic sources in dataset. See sources section for full references.
“Confirmed” reflects available public evidence. All assessments carry inherent uncertainty and should be read alongside source material.
Unpeace Position
Unpeace Score
Composite severity rating on the peace–conflict spectrum
Contributing Dimensions
Coercive Function
Destructive
Destruction of data or systems — coercive value through denial, punishment, or deterrence signaling.
Observed coercive effects
- •Largest cyber attack on a telecommunications company during an active armed conflict
- •Disrupted civilian emergency warning systems during wartime missile campaigns
Entanglement Risk
Sectors affected
Countries / regions
Impact summary
Core mobile network destroyed; 24 million subscribers affected; air-raid alerts and banking disrupted for days.
Infrastructure Meaning
Malware / tooling
Capability profile
Core mobile network destroyed; 24 million subscribers affected; air-raid alerts and banking disrupted for days.
3 ATT&CK techniques mapped — see ATT&CK mapping below.
Governance Analysis
Governance Flags
Norms invoked
- •IHL prohibition on targeting civilian communication infrastructure during armed conflict
- •UN GGE 2015 norm against damaging critical infrastructure
Policy responses
- •Ukraine SBU formal attribution to Sandworm (GRU)
- •Allied governments cited Kyivstar in documentation of Russian wartime cyber operations
- •Emergency telecommunications support from allied nations
Regulatory changes
- •Ukraine accelerated telecom infrastructure resilience and redundancy measures
- •Informed EU NIS2 implementation for telecommunications operators
Governance impact assessment
Demonstrated that cyber operations can achieve telecommunications-equivalent effects to kinetic strikes against civilian infrastructure during armed conflict, strengthening the case for applying IHL to wartime cyber operations against civilian communications.
Sources
Ukraine SBU: Sandworm responsible for Kyivstar attack
Kyivstar: Statement on cyber attack and service restoration
Sources listed reflect publicly available materials used to construct this case entry. Inclusion does not imply endorsement. Where no URL is provided, the source may be found via its title and date.
Related Cases
Viasat KA-SAT
February 2022 · Russia
Viasat KA-SAT was the clearest example yet of cyber attack as an opening act of war, with cross-border collateral damage that forced NATO and the EU to treat satellite infrastructure as a shared security concern.
NotPetya
June 2017 · Russia
NotPetya demonstrated that a cyber weapon aimed at one country can inflict billions in collateral damage worldwide, making it a landmark case for debating proportionality, state responsibility, and the limits of deniability in cyber conflict.
Sony Pictures
November – December 2014 · North Korea
Sony Pictures showed that a state can weaponize cyber operations to coerce a private company and suppress speech, raising urgent questions about where corporate cybersecurity meets national security.
Ukraine Grid I
December 2015 · Russia
Ukraine 2015 was the first confirmed cyber-caused power outage, turning a theoretical risk into an operational reality that reshaped how governments defend energy grids.