Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Government

Russian Sandworm Group Spied on Kyivstar Networks for Months

Nation-State Hackers Blamed for Severing Communications to 24 Million Citizens
Russian Sandworm Group Spied on Kyivstar Networks for Months
The Kyivstar logo on a storefront in Zdolbuniv, Ukraine, in January 2021 (Image: Shutterstock)

Ukraine's security intelligence cyber chief said Russian hackers had been responsible for severing internet access and mobile communications from the country's top telecom operator, Kyivstar, in December, after compromising the company's network months ago.

See Also: Check Kiting In The Digital Age

Illia Vitiuk, head of the Security Service of Ukraine's Cyber Security Department, revealed the findings of the agency's investigation Thursday on Telegram and told Reuters the hackers had analyzed the entire Kyivstar infrastructure and "carefully prepared for many months" before launching a massive cyberattack in December that wiped "almost everything" and affected some 24 million users for days.

The "disastrous [cyberattack] … completely destroyed the core of a telecoms operator," Vitiuk said. "This attack is a big message, a big warning, not only to Ukraine, but for the whole Western world to understand that no one is actually untouchable."

"For now, we can say securely that they were in the system at least since May 2023," Vitiuk told Reuters. "I cannot say right now, since what time they had ... full access: probably at least since November."

Cybersecurity researchers expect more fallout beyond the outage in December. "If attackers sat on the organization's network for over six months, they would have accessed most of the operator's data, so only time will tell how this is used against the business, its customers and Ukraine," William Wright, chief executive officer of Closed Door Security, told Information Security Media Group.

"It's arguable that this attack on what can be seen as critical national infrastructure will have been used to gather as much information as possible before the attackers executed the kill switch to destroy the infrastructure," Wright said. "A two-pronged attack of gathering information then causing as much chaos as possible is reminiscent of the Maersk attack in 2017, which caused around $10 billion of damages."

Attack Breadcrumbs Lead to Sandworm

The malware used is likely a data wiper, but Vitiuk said the agency is still investigating individual samples of malicious software.

The hacking group called Solntsepek, which has ties with the Russian armed forces' GRU unit, previously claimed responsibility for the attack. The group alleged that 10,000 computers, over 4,000 servers and all cloud storage and backup systems owned by Kyivstar had been wiped in the attack (see: (see: Ukraine Fingers Russian Military Hackers for Kyivstar Outage).

Vitiuk did not provide details but confirmed that thousands of virtual servers and PCs had been destroyed in the "large-scale" attack. Investigators have been struggling to analyze the attack vectors because Kyivstar's infrastructure was wiped, he said.

He also confirmed in the Telegram post that the hacker group Sandworm, which is a full-time unit of Russian military intelligence and has previously carried out cyberattacks on Ukrainian critical infrastructure, was behind this attack (see: Russian Sandworm Hackers Caused Power Outage in October 2022).

The group is known to have several data wipers in its arsenal and in January 2023, it added one more. Christened the NikoWiper by Eset, the destructive malware was based on SDelete, a command-line utility from Microsoft used for securely deleting files, researchers said at the time (see: (see: Russian Sandworm APT Adds New Wiper to Its Arsenal)

"The SBU not only helped Kyivstar resume work in a few days, but also repelled new cyberattacks. After a large-scale breach, we prevented a series of attempts to cause even more damage to the operator," Vitiuk said. "The enemy planned to strike several times in a row in order to leave people without communication for as long as possible. In such a case, other operators could not withstand prolonged overloading of their networks."

Only Civilian Infrastructure Affected

The cyberattack had a "significant impact" on the civilian population but did not seriously affect military communications because the Ukrainian Defense Forces use different communication algorithms and protocols, Vitiuk said.

At the time, the outage led to the disruption of air raid sirens, retail credit payments and ATM access to major banks as people scrambled to buy other SIM cards because of the attack, creating large lines and chaos (see: Top Ukrainian Mobile Operator Kyivstar Hit by Cyberattack).

The point of compromise still remains unclear. Vitiuk only revealed that the hackers had used malware to steal hashes of passwords. "It's not clear how the attack was initially executed, but if the perpetrators managed to phish an employee for their login credentials, that could have been their gateway," Mike Newman, CEO of My1Login, told ISMG. "This would explain why malicious activity was not detected by threat detection tools, as the adversary would have been perceived as a legitimate user."

An employee who was unaware of the phishing incident would have had no reason to report anything malicious to security, so the attackers could have operated under the radar, escalating their network privileges, before they had everything they needed to launch a powerful attack, Newman said.

Since the beginning of the full-scale invasion, the Security Service has recorded and repelled almost 9,000 cyberattacks on state resources and objects of critical infrastructure of Ukraine, Vitiuk said in the Telegram post.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.