Russian Hackers Were Inside Ukraine's Largest Telecoms Operator For Months, Cybersecurity Chief Says

In a recent interview with Reuters, Illia Vitiuk, the head of the Security Service of Ukraine's (SBU) cybersecurity department, provided exclusive details about a cyberattack on Kyivstar, Ukraine's largest telecoms operator. The attack, which occurred from at least May of the previous year and disrupted services for approximately 24 million users for several days starting on December 12, is being regarded as one of the most significant cyber incidents since Russia's invasion of Ukraine nearly two years ago.

Vitiuk emphasised the severity of the attack, characterising it as a "big warning" not only for Ukraine but for the entire Western world. He pointed out that Kyivstar, as a wealthy private company with substantial investments in cybersecurity, suffered "disastrous" destruction in what is considered the first instance of a destructive cyberattack that "completely destroyed the core of a telecoms operator."

The SBU's investigation revealed that the hackers likely attempted to penetrate Kyivstar as early as March, gaining full access by at least November. Vitiuk expressed concerns about the potential theft of personal information, location tracking of phones, interception of SMS messages, and the possible compromise of Telegram accounts due to the level of access obtained by the hackers.

While the attack had a significant impact on Kyivstar's operations, including the temporary disruption of services and the wiping of virtual servers and PCs, Vitiuk highlighted that Ukraine's military, which utilises different algorithms and protocols, was minimally affected.

Despite challenges posed by the wiping of Kyivstar's infrastructure, Vitiuk suggested that the cyberattack was likely orchestrated by the Russian military intelligence cyberwarfare unit known as Sandworm. He referenced a previous incident involving Sandworm penetrating a Ukrainian telecoms operator a year ago, which had not been previously reported.

Vitiuk acknowledged the difficulty in attributing the attack to specific actors but pointed to a group called Solntsepyok, believed to be affiliated with Sandworm, claiming responsibility for the incident. The SBU thwarted over 4,500 major cyberattacks on Ukrainian governmental bodies and critical infrastructure last year, indicating an ongoing threat to the country's cybersecurity.

The CEO of Kyivstar, Oleksandr Komarov, announced on December 20 that all services had been fully restored throughout the country. Vitiuk commended the SBU's incident response efforts in safely restoring the systems. The attack on Kyivstar, which occurred while Ukrainian President Volodymyr Zelenskiy was in Washington, pressing for continued aid from the West, remains a significant cybersecurity concern, with uncertainties surrounding the motivations behind the choice of the attack date.