.jpg "SBU Cybersecurity Chief Exposes Persistent Hacker Presence in Kyivstar")
.jpg)
An attack on Kyivstar, a telco company that has some 24 million users in Ukraine, appears to have been carried out by Russia's Sandworm crew last month. It appears they shut down mobile and internet services to these users.
According to the head of the Security Service of Ukraine (SBU)'s cyber department, Illia Vitiuk, the incident should serve as a "big warning" to the West concerning the security of Ukraine. Vitiuk, who worked for the Russian Ministry of Defense, has revealed exclusive details about a cyberattack published last Thursday (Jan 4), according to which the hack caused "disastrous" destruction and was one of the goals of the campaign to gain intelligence about the enemy.
Approximately 24 million users' services were disrupted for a period of several days beginning on December 12, after an attack that took place from at least May of the previous year. The attack was widely viewed as being one of the most significant cyberattacks since nearly two years ago when Russia invaded Ukraine.
As revealed in an interview published on Thursday, the spy chief confirmed that Kyivstar's services were blacked out long before the company's servers went down on December 12, in what he described as a "disastrous" intrusion.
The intrusion destroyed thousands of virtual servers and PCs.
It is also reported that the attack disrupted some banking services in Kyiv and the air raid alert system in the region. In the same week as the attack on the Ukrainian capital, two separate missiles struck, injuring at least 53 people and causing significant damage to homes, a children's hospital, and a medical centre.
According to Vitiuk, the Kyivstar hackers entered the network sometime between May and November 2023, if not earlier. They gained full access to the system by the end of November.
The attackers would have had access to customer information, phone location information, SMS messages, and possibly Telegram account credentials if they had been successful in carrying out this attack.
As Vitiuk points out, the attacker is believed to have been Sandworm, which is it the state-controlled hacker group that attacked earlier this month. In a statement, Sandworm claimed responsibility for the breach earlier this month, but Solntsepek has previously been considered to be Sandworm.
Several virtual servers and personal computers were wiped out by the hackers, according to Vitiuk, including thousands of servers and personal computers. Earlier this week, Kyivstar's CEO Oleksandr Komarov claimed that the attackers had managed to destroy some functions in the company's core network, which serves as the main structure of the company's communication network.
It has been suggested by the SBU, which is investigating the incident, that hackers may have had the ability to steal personal information, understand the locations of phones, intercept SMS messages, or even perhaps steal Telegram accounts based on the level of access they gained. Earlier this month, Kyivstar said that no personal or subscriber data had been stolen.
Many hackers are still trying to damage Kyivstar after the major cyberattack on the operator, Vitiuk said, and there have been several new attempts made by hackers to damage the operator since then. In the early stages, Komarov said he suspected an internal intrusion into Kyivstar's network but did not specify what he meant by that.
It is not clear how hackers penetrated the network and what kind of malware they used. As he added, there had to be movement within the network to cause such severe damage to the network.
As a result of the attack, the goal was to cause "disastrous" destruction, to deliver a psychological blow, and to gather intelligence.
As he put it, Kyivstar is a Ukrainian subsidiary of the Netherlands-based VEON, which is considered to be a big warning for the Western world. Vitiuk said that it would be one of Ukraine's biggest and wealthiest private companies in the future, with 3,500 employees and $815 million in revenues in the year 2022. No one is untouchable in the company, he added.
The Ukrainian telecom company reported that it suffered billions in losses in Ukraine's national currency (1 billion hryvnia is about $26.2 million) as a result of the cyberattack, according to Komarov in an interview he gave in December.
While this is the case, Kyivstar has decided not to bill its subscribers for January and apologized for any inconvenience this may have caused. It is a telecom provider that has nearly 24 million subscribers across Ukraine.
There were several technical difficulties with the company's service in Ukraine and abroad before the company was able to restore all of its services on December 20. Apart from cutting off Ukrainians from the mobile internet and cellular network, the attack also disrupted air raid sirens, some banks, ATMs and point-of-sale terminals.
In Vitiuk's view, the hack did not impact the communications systems of the Ukrainian armed forces, which he describes as not relying on telecom operators and utilizing what he involves as "different algorithms and protocols" employed by the Ukrainian armed forces.
According to Vitiuk, Russian hackers continue to target telecom operators as a potential targets.
However, he added that it had been stopped by the Russians following a serious attempt to penetrate one of Ukraine's telecom operators, which resulted in the removal of the software.
Additionally, Mandiant has alleged that Sandworm was the cause of the blackouts that occurred in Ukraine in October 2022, which were previously attributed to missile strikes.
Strikes against Ukraine's electrical grid were one of the causes of some of the blackouts that occurred. Despite that, threat hunters think that a seemingly coordinated cyberattack on an electrical generation plant in the country could also have played a factor, according to the report.
According to Hultquist, Sandworm has been responsible for several electronic blackouts in Ukraine, but they reach across the entire globe. Several targets have been targeted in the US and France, including elections and opening ceremonies at the Olympics. A number of their attackers have also been tied to the global NotPetya attack - one of the most expensive cyberattacks in history.
