Ukraine gathers evidence to prosecute hackers behind Kyivstar attack in Hague

The Ukrainian state security service (SBU) has announced that it’s building a case to prosecute Russian hackers who attacked Ukraine’s biggest telecom operator, Kyivstar, at the International Criminal Court in The Hague.

"War criminals should be tried at the international level," said Illia Vitiyuk, the head of the department’s cyber unit, in a recent interview with the Ukrainian news agency Ukrinform.

The attack on Kyivstar in late 2023 left millions of subscribers without mobile signals and internet for days. Such attacks on civilian infrastructure fit the definition of war crimes, he said.

Vitiyuk previously has linked the hackers to a group known as Sandworm, which is associated with Russia’s military intelligence service (GRU).

In his latest interview, Vitiuk said that Ukraine could trace the attack back to Sandworm due to the hackers' behavioral patterns, their use of specially crafted software, and the infrastructure employed for file downloads. The group that initially claimed responsibility for the attack, Solntsepek, is also linked to Sandworm, according to Vitiuk.

Ukrainian cyber experts and investigators are collecting such evidence against the hackers for consideration at the international court, the SBU said.

It’s not the first time individual Sandworm hackers have been targeted for legal action by a government. The United States has indicted six GRU officers for their alleged involvement in the NotPetya malware attacks. 

The SBU is currently working on assessing the damage caused by the cyberattack. Earlier in January, Kyivstar said the incident would cost its parent company, Netherlands-based Veon, almost $100 million. However, in a report released in March, the company stated that the cost was four times smaller — about $24 million.

Vitiuk noted that it can be a struggle to prosecute state-sponsored hackers because it's nearly impossible “to prove who is responsible for what.”

Previously, Ukraine identified eight members of the Russian hacker group known as  Armageddon or Gamaredon in 2021 by listening to their calls. The group operates from the Russian-annexed Crimean peninsula and acts on orders from Russia’s Federal Security Service (FSB) in Moscow.

In the case of the Kyivstar hack, Vitiuk said that Ukraine aims to hold not only group members accountable but also the leaders of Russian intelligence agencies.

The cyberattack on Kyivstar was a technologically advanced operation and is often dubbed as "one of the highest-impact disruptive cyberattacks on Ukrainian networks" since Russia invaded Ukraine.

Russian hackers infiltrated Kyivstar's infrastructure months before the December hack, wiping data from numerous physical and virtual servers, according to Vityuk.

Many people were involved in preparing for the attack. Vityuk said that during the planning stages, Russia likely worked alongside experts from the telecom industry who know the system's architecture and operational protocols.

"We could see it in how they navigated through the Kyivstar network, where one could easily get lost for years, indicating they were well-acquainted with their route."

There's also a possibility that Sandworm hackers partnered with the Russian telecom company Beeline, as, according to Vitiuk, its infrastructure closely resembles that of Kyivstar.

During a conference in Kyiv in February, Kyivstar CEO Oleksandr Komarov said that the investigation into the incident will "continue for a long time" because hackers “destroyed hundreds of Kyivstar servers and wiped thousands of computers, making it difficult to trace their movement through the network."

"Now what's more important for us is not just how they initially gained access to the network, but how they managed to navigate it, circumventing substantial security measures at Kyivstar," he added.