Russian hackers were inside Ukraine telecoms giant for months before attack: Cyber spy chief
Sign up now: Get ST's newsletters delivered to your inbox
Kyivstar is the biggest of Ukraine’s three main telecoms operators and there are some 1.1 million Ukrainians who live in small towns and villages where there are no other providers.
PHOTO: REUTERS
LONDON - Russian hackers were inside Ukrainian telecoms giant Kyivstar’s system from at least May 2023 in a cyber attack that should serve as a “big warning” to the West, said Ukraine’s cyber spy chief.
The hack, one of the most dramatic since Russia’s full-scale invasion nearly two years ago, knocked out services provided by Ukraine’s biggest telecoms operator for 24 million users for days from Dec 12.
Mr Illia Vitiuk, head of the Security Service of Ukraine’s (SBU) cyber-security department, gave details on the hack, which he said caused “disastrous” destruction and aimed to land a psychological blow and gather intelligence.
“This attack is a big warning, not only to Ukraine, but for the whole Western world to understand that no one is untouchable,” he said. He noted that Kyivstar was a wealthy, private company that invested a lot in cyber security.
The attack wiped “almost everything”, including thousands of virtual servers and PCs, he said, describing it as probably the first example of a destructive cyber attack that “completely destroyed the core of a telecoms operator”.
During its investigation, the SBU found the hackers probably attempted to penetrate Kyivstar in March or earlier, he said in a Zoom interview on Dec 27, 2023.
“For now, we can say securely that they were in the system at least since May 2023,” he said. “I cannot say right now, since what time they had... full access; probably at least since November.”
The SBU assessed the hackers would have been able to steal personal information, understand the locations of phones, intercept SMSes and perhaps steal Telegram accounts with the level of access they gained, he said.
A Kyivstar spokesperson said it was working closely with the SBU to investigate the attack and would take all necessary steps to eliminate future risks, adding: “No facts of leakage of personal and subscriber data have been revealed.”
Mr Vitiuk said the SBU helped Kyivstar restore its systems within days and repel new cyber attacks.
“After the major break, there were a number of new attempts aimed at dealing more damage to the operator,” he added.
Kyivstar is the biggest of Ukraine’s three main telecoms operators, and there are some 1.1 million Ukrainians who live in small towns and villages where there are no other providers, he said.
People rushed to buy other SIM cards because of the attack, creating long queues. ATMs using Kyivstar SIM cards for the Internet ceased to work and the air-raid siren, used during missile and drone attacks, did not function properly in some regions, he said.
The attack had no big impact on Ukraine’s military, which did not rely on telecoms operators and made use of what he described as “different algorithms and protocols”.
“Speaking about drone detection, speaking about missile detection, luckily no, this situation didn’t affect us strongly.”
Russian sandworm
Investigating the attack is harder because of the wiping out of Kyivstar’s infrastructure.
Mr Vitiuk said he was “pretty sure” it was carried out by Sandworm, a Russian military intelligence cyber-warfare unit that has been linked to cyber attacks in Ukraine and elsewhere.
A year ago, Sandworm penetrated a Ukrainian telecoms operator, but was detected by Kyiv as the SBU had itself been inside Russian systems, he said, declining to identify the company. The earlier hack has not been previously reported.
Russia’s Defence Ministry did not respond to a request for comment on Mr Vitiuk’s remarks.
The pattern of behaviour suggested telecoms operators could remain a target of Russian hackers, he said, adding that the SBU thwarted over 4,500 cyber attacks on Ukrainian government bodies and critical infrastructure in 2023.
A group called Solntsepyok, believed by the SBU to be affiliated with Sandworm, said it was responsible for the attack.
Mr Vitiuk said SBU investigators were still working to establish how Kyivstar was penetrated or what type of Trojan horse malware could have been used to break in, adding that it could have been phishing, someone helping on the inside or something else.
If it was an inside job, the person who helped the hackers did not have a high level of clearance in the company as the hackers made use of malware used to steal hashes of passwords, he said.
Samples of that malware have been recovered and are being analysed, he added.
Kyivstar chief executive Oleksandr Komarov said on Dec 20 that all the company’s services had been fully restored throughout the country.
Mr Vitiuk praised the SBU’s incident response effort to safely restore the systems.
The attack on Kyivstar may have been made easier because of similarities between it and Russian mobile operator Beeline, which was built with similar infrastructure, he said.
The sheer size of Kyivstar’s infrastructure would have been easier to navigate with expert guidance, he added.
The destruction at Kyivstar began at around 5am local time while Ukrainian President Volodymyr Zelensky was in Washington
Mr Vitiuk said the attack was not accompanied by a major missile and drone strike at a time when people were having communication difficulties, limiting its impact while also relinquishing a powerful intelligence-gathering tool.
Why the hackers chose Dec 12 was unclear, he said, adding: “Maybe some colonel wanted to become a general.” REUTERS
