Russian hackers inside Ukraine telecoms giant's system for months, says cyber spy chief

Russian hackers infiltrated the systems of Ukraine's major telecoms company, Kyivstar, in a cyberattack that should serve as a "big warning" to the West, according to Ukraine's cyber spy chief, Illia Vitiuk. The attack, occurring in December, disrupted services for 24 million users for several days. Vitiuk highlighted the attack's "disastrous" impact, describing it as a significant warning for both Ukraine and the Western world, emphasising that no one is untouchable.

Kyivstar, a wealthy private company investing significantly in cybersecurity, faced a destructive cyberattack that wiped out "almost everything," including virtual servers and PCs. Vitiuk noted this as a rare example of a cyberattack that "completely destroyed the core of a telecoms operator."

The hackers likely gained access to the system as early as May 2023, with the potential to steal personal information, track phone locations, intercept SMS messages and possibly steal Telegram accounts.

How were the systems restored?

The Security Service of Ukraine (SBU) assisted Kyivstar in restoring its systems and repelling subsequent cyber attacks. The telecoms operator, the largest of its kind in Ukraine, plays a crucial role, particularly in regions where there are no alternative providers.

The attack led to disruptions such as long queues for SIM card purchases, non-functioning ATMs using Kyivstar SIM cards, and issues with air-raid sirens in certain regions.

Despite the significant impact on civilian services, Vitiuk noted that the attack did not heavily affect Ukraine's military, which relies on different algorithms and protocols for tasks such as drone and missile detection.

The incident serves as a stark reminder of the vulnerability of critical infrastructure to cyber threats.

Challenges faced while investigation

The investigation into the Kyivstar cyberattack faces added difficulty due to the extensive wiping of the company's infrastructure, making it challenging to trace the attack's origin and methods, according to Illia Vitiuk, head of the Security Service of Ukraine's (SBU) cybersecurity department.

Sandworm suspected as culprit

Vitiuk expresses confidence that the cyberattack on Kyivstar was likely carried out by Sandworm, a Russian military intelligence cyberwarfare unit known for previous attacks in Ukraine and beyond. Sandworm's involvement in a previous hack of a Ukrainian telecoms operator a year ago has been disclosed for the first time.

The pattern of behavior suggests that telecoms operators could continue to be targets of Russian hackers, warns Vitiuk. Despite over 4,500 thwarted cyberattacks on Ukrainian governmental bodies and critical infrastructure by the SBU last year, the telecom sector remains a focal point for potential cyber threats.

A group believed to be affiliated with Sandworm, called Solntsepyok, claims responsibility for the Kyivstar attack. The SBU is actively investigating the penetration methods, including the potential use of trojan horse malware, phishing, or insider assistance.

The SBU is exploring the possibility of insider involvement in the cyberattack, but Vitiuk emphasizes that if an insider assisted, their clearance level in the company was not high. The attackers utilized malware designed to steal password hashes, and samples of the malware are under analysis.

The attack on Kyivstar may have been facilitated by similarities with the infrastructure of Russian mobile operator Beeline, according to Vitiuk. The familiarity with Beeline's structure may have eased the hackers' navigation within Kyivstar's extensive infrastructure.

CEO's statement

Kyivstar's CEO, Oleksandr Komarov, announced on December 20 that all services had been fully restored. Vitiuk praises the SBU's incident response effort for safely restoring the systems and highlights the potential intelligence-gathering aspect relinquished by not accompanying the cyberattack with a major missile and drone strike.

Vitiuk notes the uncertainty surrounding the choice of December 12 for the attack on Kyivstar, suggesting that the timing may have been arbitrary, possibly driven by individual motives within the hacking group.