Russian Hackers Were Inside Ukrainian Telecoms Giant for Almost a Year

Russian hackers have been inside Ukrainian telecoms company Kyivstar’s system since at least May of last year, causing the most severe cyberattack on Ukrainian networks.

Aiming to deliver a psychological blow and obtain intelligence, the hack created “disastrous” destruction.

Approximately 24 million users could not access services offered by Ukraine’s largest telecom operator for several days starting on December 12 due to the severe attack.

“This attack is a big message, a big warning, not only to Ukraine but for the whole Western world to understand that no one is untouchable,” to a recent interview with Reuters Illia Vitiuk, head of the Security Service of Ukraine (SBU) cybersecurity department said.

Hack Over Telecom Operator

Vitiuk mentioned that Kyivstar was a well-funded private business with significant cybersecurity investments.

Further, thousands of virtual servers and PCs were destroyed in the attack, calling it “almost everything.” It was likely the first instance of a damaging cyberattack that “destroyed the core of a telecoms operator.”

The SBU discovered throughout its investigation that the hackers most likely tried to access Kyivstar in March or earlier.

“For now, we can securely say that they have been in the system since May 2023. I cannot say right now, since what time they had … full access: probably at least since November”, reads the Reuters report.

With the level of access, the hackers were able to steal the following information, such as:

• Personal information
• Locations of phones
• SMS-messages
• Telegram accounts with the level of access they gained

A Kyivstar representative stated, “No facts of leakage of personal and subscriber data have been revealed.”

The strike did not affect them because the Ukrainian military used “different algorithms and protocols” and was not dependent on telecom companies.

Vitiuk declared that he was pretty sure Sandworm, a cyber warfare unit of Russian military intelligence connected to cyberattacks in Ukraine and other countries, was responsible for the operation.

The SBU suspected a group known as Solntsepyok of having ties to Sandworm, and they claimed responsibility for the attack.

Investigators are still trying to figure out how Kyivstar was compromised and what kind of trojan horse malware was used to get in. They also mentioned that it might have been phishing, an insider assisting out, or something else entirely. The samples of that malware had been found and were being examined.

Further, the firm was closely collaborating with the SBU to look into the incident and that it would take all necessary precautions to limit future risks. 

Oleksandr Komarov, the CEO of Kyivstar, announced on December 20 that all of the business’s services had been fully restored across the nation.