December 12, 2023 was a black day for Kyivstar. Then Russian hackers launched an attack that practically paralyzed the operator’s work. As it turned out, hackers penetrated the company’s network a few months before the attack, and later made new attempts to hack Kyivstar. The head of the cyber security department of the SBU, Ilya Vityuk, told about it.
He notes that this attack is “a big warning not only for Ukraine, but also for the entire Western world.” “Kyivstar” is a profitable private company that invests a lot in cyber security. Nevertheless, Russian hackers were able to launch a successful cyberattack that caused “catastrophic” destruction.
The extent of the damage
According to Ilya Vityuk, “almost everything” was destroyed as a result of the attack, including thousands of virtual servers and PCs. He called it probably the first example of a devastating cyberattack that “completely destroyed the core of a communications operator.”
During the investigation, the SBU established that the hackers probably tried to break into the Kyivstar system in March or even earlier. At the same time, it is possible “to say with confidence that they were in the system at least since May 2023.” And apparently they had full access since at least November.
According to the SBU estimates, with the obtained level of access, hackers could steal personal information, determine the location of phones, intercept SMS messages and possibly steal Telegram accounts.
A representative of “Kyivstar” said that the company is closely cooperating with the SBU in the investigation of the attack and will take all necessary measures to eliminate future risks. At the same time, it is stated that “no facts of leakage of personal and subscriber data have been detected.”
Vityuk said that the SBU helped Kyivstar restore its systems and detect new cyberattacks in a matter of days. According to him, after some break, “a number of new attempts were made, aimed at causing greater losses to the operator.” He added that the attack had little impact on the Ukrainian army, which did not rely on communications operators and used “different algorithms and protocols.” However, millions of users could practically not use the Kyivstar connection for several days.
Sandworm’s right hand
It is emphasized that it is difficult to investigate the attack on “Kyivstar” due to the destruction of the operator’s infrastructure. However, Vytiuk said he was “almost certain” it was the work of Sandworm, a cyberwarfare Russian military intelligence unit linked to cyberattacks in Ukraine and elsewhere.
A year ago, Sandworm already penetrated the network of a Ukrainian telecommunications operator, but was discovered because the SBU itself was in Russian systems, Vytyuk said, declining to name the company. He added that last year the SBU prevented more than 4,500 major cyber attacks on Ukrainian government bodies and critical infrastructure.
Vityuk said that SBU investigators are still determining the method of hacking Kyivstar and the type of Trojan software used. It could have been phishing or help from an insider who didn’t have a high level of access. The hackers used malware that is used to steal password hashes. Samples of this malware have been identified and analyzed, he added.
According to Vityuk, an attack on Kyivstar could be relatively easy for Russian hackers due to the similarity between it and the Russian mobile operator Beeline, which had a similar infrastructure. He added that it would be easier to navigate the scope of Kyivstar’s infrastructure under the guidance of experts.
VEON CEO Kaan Terzioglu spoke in a recent interview about his intention to invest $1 billion in Kyivstar over five years. First of all, the funds will be directed to the restoration of the basic backbone network, data processing centers, fiber optic infrastructure. This will enable faster and more efficient deployment of 5G. The company is also considering the possibility of launching satellite communications.
UPDATED: “Kyivstar” spokeswoman Iryna Lelychenko noted that the company does not confirm the information about alleged months-long access by hackers “within” the company to personal data of subscribers and their leakage.
“The official investigation of the cyberattack on the Kyivstar network, which took place on December 12, 2023, is ongoing, so various versions are being considered, but none of them can be considered final until the official conclusion of the investigation,” she said.
Also, Iryna Lelichenko once again emphasized that no facts of leakage of subscribers’ personal data were found during the investigation. All information about the progress of the cyber attack investigation is available on the official website of the SBU.
Source: reuters