Russian hackers infiltrated Ukrainian telecom giant months before cyberattack

The Russian hackers behind the cyberattack on Ukraine’s largest telecom operator snuck into its infrastructure months before the December hack, according to Ukraine’s top cyber official.

The attack on Kyivstar was “one of the highest-impact disruptive cyberattacks on Ukrainian networks” since Russia invaded the country last year. It left millions of Kyivstar subscribers without a mobile signal and internet for days beginning on December 12.

In a recent interview with Reuters, Illia Vitiuk, the head of the cybersecurity department at Ukraine’s security service (SBU), said that the hackers attempted to penetrate Kyivstar in March 2023 or earlier, managed to get into the system at least as early as May, and likely gained full access to the network in November.

The attack is believed to have been carried out by the Russian state-controlled hacker group Sandworm, according to Vitiuk. Earlier in December, the threat actor Solntsepek claimed responsibility for the hack. That group has previously been linked to Sandworm.

The hackers wiped “almost everything,” including thousands of virtual servers and personal computers, Vitiuk said. Kyivstar CEO Oleksandr Komarov claimed earlier that the attackers managed to destroy some functions of the operator’s core network — the central part of its infrastructure responsible for managing and directing communication services.

The SBU, which is involved in the investigation of the incident, said that with the level of access the hackers gained they might have been able to steal personal information, understand the locations of phones, intercept SMS messages, and perhaps steal Telegram accounts. Kyivstar said earlier that no personal or subscriber data was leaked.

Vitiuk said that after the major cyberattack on Kyivstar there were several new attempts by hackers aimed at damaging the operator.

It is still not clear how the hackers penetrated Kyivstar’s network and what type of malware they used. Komarov said earlier that he suspects the attack was an internal intrusion, but he did not specify what he meant. “There certainly had to be some movement within the network to damage it so badly,” he added.

“If it was an inside job,” Vitiuk said, “the insider who helped the hackers did not have a high level of clearance in the company, as the hackers made use of malware used to steal hashes of passwords.”

The attack on Kyivstar may have been made easier by similarities to the Russian mobile operator Beeline, which was built with similar infrastructure, Vitiuk added.

The goal of the attack was to cause "disastrous" destruction, deliver a psychological blow, and gather intelligence. He called it “a big warning” for the Western world.

Kyivstar is a Ukrainian subsidiary of the Netherlands-based VEON. It ranks as one of Ukraine’s largest and most wealthy private companies, employing 3,500 people and generating $815 million in revenue in 2022. “No one is untouchable,” Vitiuk said.

In an interview in December, Komarov said that Kyivstar suffered billions in losses in Ukraine's national currency (1 billion hryvnia is about $26.2 million) due to the cyberattack. Despite this, the telecom provider decided not to bill its subscribers for January to apologize for the inconvenience. Kyivstar has nearly 24 million subscribers in Ukraine.

The company restored all of its services in Ukraine and abroad on December 20. In addition to cutting off Ukrainians from the cellular network and mobile internet, the attack disrupted air raid sirens, some banks, ATMs and point-of-sale terminals.

The hack did not impact the communication systems of the Ukrainian armed forces, which according to Vitiuk do not rely on telecom operators and made use of what he described as "different algorithms and protocols".

Telecom operators remain an attractive target to Russian hackers, according to Vitiuk. In an October interview with Recorded Future News’ Click Here podcast, he said there had been “a serious attempt to penetrate one of Ukraine’s telecom operators,” but it was stopped.