Full Report
The shutdown, confirmed by internet monitoring groups NetBlocks, Kentik and Proton VPN, began late Monday and continued into Tuesday, affecting both mobile and fixed-line services. Telephone networks were also disrupted.
Analysis Summary
# Incident Report: Nationwide Internet and Telecommunications Shutdown in Afghanistan
## Executive Summary
Authorities in Afghanistan executed a nationwide shutdown of internet and telecommunications services starting late Monday, continuing into Tuesday, severely disrupting critical infrastructure, including air travel, banking, and essential public services. The incident followed a partial fiber blockade earlier in the month and represented a full cessation of digital connectivity. Response from international bodies, such as the UN, focused on immediate restoration due to severe humanitarian and operational impacts.
## Incident Details
- Discovery Date: Late Monday (Start Date of Nationwide Outage)
- Incident Date: Began late Monday, continued into Tuesday (September 29/30, 2025, based on publication date)
- Affected Organization: The Government/Telecommunications Infrastructure of Afghanistan, affecting all citizens and organizations.
- Sector: Telecommunications, Aviation, Finance, Healthcare, Media.
- Geography: Afghanistan (Nationwide)
## Timeline of Events
### Initial Access
- Date/Time: Began late Monday.
- Vector: State/Government directive to shut down telecommunications infrastructure (not a typical breach vector, but a deliberate operational disruption).
- Details: Complete shutdown of both mobile and fixed-line internet services nationwide. This followed a *partial* disruption earlier in the month where fiber connections were blocked in several provinces.
### Lateral Movement
*Not applicable. This event was a centralized shutdown of infrastructure, not a security intrusion facilitating lateral movement.*
### Data Exfiltration/Impact
- Primary Impact: Complete disruption of digital communications, banking/payment systems, online education, and severely hampered medical care and air travel operations (e.g., Kabul airport deserted). Key government websites went offline, and international news agencies could not reach bureaus.
### Detection & Response
- Detection: Internet monitoring groups (NetBlocks, Kentik, Proton VPN) confirmed the nationwide outage starting late Monday.
- Response Actions: The UN mission (UNAMA) publicly urged authorities to immediately restore services. The UN shifted to using radios and satellite links for limited operations due to the failure of traditional communication methods, including landlines.
## Attack Methodology
- Initial Access: **Infrastructure Disruption/State Action.** Shutdown of backbone and mobile networks, likely via mandated throttling or complete cutoff executed by controlling authorities.
- Persistence: N/A (Intentional policy effect, not malicious actor persistence).
- Privilege Escalation: N/A
- Defense Evasion: N/A
- Credential Access: N/A
- Discovery: N/A
- Lateral Movement: N/A
- Collection: N/A
- Exfiltration: N/A
- Impact: **Denial of Service (Nationwide).** Rendering all digital communication and financial platforms unusable.
## Impact Assessment
- Financial: Severe disruption to banking/payment systems and commercial activity.
- Data Breach: No data exfiltration reported; the impact was service availability.
- Operational: Catastrophic operational failures in aviation (airport deserted), medical care, food delivery logistics, and governance.
- Reputational: Significant negative international attention regarding human rights, freedom of speech, and governance stability.
## Indicators of Compromise
- Network Indicators: Complete cessation of BGP announcements, loss of connection visibility reported by NetBlocks, Kentik, and Proton VPN systems monitoring Afghanistan's prefixes.
- File Indicators: N/A
- Behavioral Indicators: Nationwide, uniform failure of mobile and fixed-line connectivity beginning simultaneously.
## Response Actions
- Containment measures: Minimal direct measures against the shutdown mechanism, as the source was governmental. Focus shifted to alternative communication.
- Eradication steps: N/A (Awaiting resolution by authorities).
- Recovery actions: UN shifted to emergency communication methods (radios, satellite links) to maintain essential humanitarian functions.
## Lessons Learned
- Critical infrastructure dependence: The incident highlighted the absolute reliance of modern governance, commerce, and humanitarian aid on persistent internet connectivity.
- Resilience Gap: The event demonstrated an extreme vulnerability when a centralized authority can unilaterally eliminate all digital communication channels, severely affecting disaster response (coinciding with recent earthquakes).
## Recommendations
- For critical/humanitarian organizations operating in high-risk environments: Maintain and drill procedures for reliance on non-IP based communication (e.g., high-frequency radio, dedicated satellite links) as primary backup for essential command and control.
- Continued monitoring of pre-cursor activities, such as the partial fiber blocks seen earlier in the month, to anticipate full-scale shutdowns.