Exclusive Russian hackers have been inside the Ukrainian telecom giant for months.
© Reuters. FILE PHOTO: A woman walks past the store of Ukrainian telecommunications company Kyivstar amid Russian attacks on Ukraine, December 12, 2023 in Kiev, Ukraine. REUTERS/Alina Smutko/file photo
Tom Balmforth
LONDON (Reuters) – Russian hackers have been inside the systems of Ukrainian telecoms giant Kyivstar since at least May last year and the cyberattack should serve as a “big warning” to the West, the head of Ukraine’s cyber espionage told Reuters. told the news agency.
The hack, one of the most dramatic since Russia’s full-scale invasion nearly two years ago, disrupted services provided by Ukraine’s largest telecom operator to about 24 million users for several days starting December 12.
In an interview, Illia Vitiuk, head of the Cybersecurity Department of the Security Service of Ukraine (SBU), revealed exclusive details about the hack. He said the hack caused “catastrophic” destruction and was aimed at inflicting psychological harm and gathering intelligence.
“This attack is a big message and a big warning not only to Ukraine but to the entire Western world to understand that in reality no one is untouchable,” he said. He noted that Kyivstar is a wealthy private company that has invested heavily in cybersecurity.
He explained that the attack wiped out “almost everything”, including thousands of virtual servers and PCs, and was probably the first example of a devastating cyberattack in which “the core of a telco was completely destroyed.”
During its investigation, the SBU discovered that hackers may have attempted to infiltrate Kyivstar in March or earlier, the company said in a Dec. 27 Zoom (NASDAQ:) interview.
“At this point, we can safely say that it has been in the system since at least May 2023,” he said. “I can’t tell you right now when they’ve had full access, probably since at least November.”
The SBU assessed that the hackers would have been able to steal personal information, locate mobile phones, intercept SMS messages and steal Telegram accounts with the level of access they gained.
A Kyivstar spokesperson said the company was working closely with the SBU to investigate the attack and would take all necessary steps to eliminate future risks. “No personal or subscriber data breaches have been revealed,” he said.
Vitiuk said the SBU helped Kyivstar restore its systems within a few days and repel new cyberattacks.
“Following the massive outage, there have been a number of new attempts to inflict further harm on operators,” he said.
Kyivstar is the largest of Ukraine’s three major telecom operators, and there are about 1.1 million Ukrainians living in small towns and villages without other telecom operators, Vitiuk said.
The attack caused people to rush to buy different SIM cards, creating large queues. He said ATMs using Kyivstar SIM cards for internet had stopped working and air raid sirens used in missile and drone attacks were not working properly in some areas.
He said the attack did not have a significant impact on the Ukrainian military, which does not rely on telecom operators and uses “different algorithms and protocols.”
“When it comes to drone detection, missile detection, fortunately this situation has not had a major impact on us,” he said.
Russian Sandworm
Investigating the attack became more difficult because Kyivstar’s infrastructure was wiped out.
Vitiuk said he was “absolutely certain” that it was carried out by Sandworm, a Russian military intelligence cyberwarfare unit linked to cyberattacks in Ukraine and elsewhere.
A year ago, Sandworm infiltrated Ukrainian telecommunications companies, but was detected by Kiev because the SBU itself was inside Russian systems, Vitik said. The company declined to be identified. The previous hack had not previously been reported.
The Russian Ministry of Defense did not respond to a request for written comment on Vitiuk’s remarks.
Vitiuk said this pattern of behavior suggests that telecom operators could still be targets of Russian hackers. The SBU thwarted more than 4,500 major cyberattacks against Ukrainian government entities and critical infrastructure last year, he said.
A group called Solntsepyok, which the SBU believes is affiliated with Sandworm, was responsible for the attack, it said.
Vitiuk said SBU investigators were still working to determine how Kyivstar was infiltrated and what type of Trojan malware was used in the intrusion. It could be phishing, or it could be someone assisting the inside, he added.
If it was an internal job, the insider who helped the hackers did not have high-level clearance within the company because the hackers used malware used to steal password hashes, he said.
He added that the malware samples have been recovered and are being analyzed.
Kyivstar CEO Oleksandr Komarov said on December 20 that all of the company’s services were fully restored across the country. Vitiuk praised SBU’s incident response efforts to safely restore the system.
Vitiuk said the attack on Kyivstar may have been made easier by its similarities to Russian mobile carrier Beeline, which is built on similar infrastructure.
The sheer size of Kyivstar’s infrastructure would have made it easier to navigate if there had been expert guidance, he added.
The destruction of Kievsta began around 5 a.m. local time while Ukrainian President Volodymyr Zelenskiy was in Washington to continue pressuring the West to provide support.
Vitiuk said the attack did not involve large-scale missile and drone strikes at a time when people were struggling to communicate, limiting their impact while giving up a powerful intelligence-gathering tool.
It was unclear why the hackers chose December 12, he said, adding, “Maybe some colonels wanted to become generals.”
