How Russia managed to hack the largest Ukrainian telecom provider for months

Russian hackers appear to have had access to the system of the largest Ukrainian telecommunications company Kyivstar for several months, before all of the provider's services were paralyzed by a cyberattack last month. Ukraine warns that this could also happen to the West, with potentially dire consequences.

There is no cell phone coverage, no internet access, street lights are out, bank machines can no longer dispense money, and even air raid sirens no longer work in certain places. The large-scale hacking operation that hit Kyivstar on the morning of December 12 had a massive impact on Ukrainian society. The telecommunications company is the largest in the country, with 24 million customers and serving more than half of all Ukrainians. As many customers quickly switched to other Ukrainian providers, they also had to deal with the overload. Most services were not restored until a few days later.

Research by the Ukrainian intelligence service SBOe now shows that the Russian hackers responsible for the attack have been present in Kyivstar's systems since May last year. This was stated by the head of the service's cybersecurity department, Ilya Vitgoek, in an interview with the Reuters news agency. Vitiuk's division came to Kyivstar's aid immediately after the attack to close loopholes and prevent new attack attempts.

Full access in November

Attempts to hack Kyivstar's systems were said to have been made as early as March or perhaps earlier. Subsequent attempts in May were more successful, and it is possible that the hackers have gained full access to Kyivstar's systems since November. They then launched their large-scale, well-prepared attack in early December.

According to Witjuek, the hack was perhaps the first example worldwide of a “catastrophic” cyberattack that could “destroy the entire core of a telecom company.” Moreover, the attack went beyond simply crippling telephone and Internet traffic, and may also have aimed to completely wipe out Ukrainian computer systems and render them unusable. “Almost everything” was wiped, including thousands of computers and virtual servers. Many users had to physically turn off their devices to prevent further damage from the hack.

However, hackers were able to steal personal information from Kyivstar customers – both private and institutional, track phone locations and intercept text messages. According to Witgoek, the Russian hackers also wanted to deal a psychological blow and make clear to the Ukrainians that they could be captured remotely by their Russian neighbor at any time. More than 1.1 million Kyivstar customers live in small towns and villages where other providers are not available.

The untouched

“This attack sends a clear message, not only to Ukraine, but to the entire West, that no one is immune,” Vitjuk said. Kyivstar is Ukraine's largest provider and is a wealthy private company that has invested heavily in cybersecurity in recent years in light of previous cyberattacks from Russia.

The provider says it has no evidence of a data leak. The army was also not affected by the attack because it operates with its most secure military forces and systems. Tens of thousands of drones on the battlefield, among other things, are completely dependent on the army's mobile networks. Every day, the Russian and Ukrainian sides try in every possible way to disable enemy systems through electronic warfare.

It is not yet clear who exactly is behind the attack. Two Russian hacker groups have claimed responsibility for the break-in, and the one carried out by Solntsepyuk in particular is considered credible. Solntsepyuk has close ties to the internationally known and notorious Sandworm collective, which may be under the patronage of Russia's GRU military intelligence service.

Sandworm is believed to be responsible for several cyberattacks in Ukraine and elsewhere in recent years. A year ago, the group also managed to hack a Ukrainian telecommunications company, Witgoek says, but the attempt was noticed at the time because SBOe itself had hacked into Russian systems. It is not clear whether this attack also targets Kyivstar. In total, SBOe repelled more than 4,500 major cyberattacks on Ukrainian government institutions and critical infrastructure in the past year.

Hackers may have found a vulnerability in the systems through a compromised account of a Kyivstar employee, after which they could install malware to steal passwords and gradually give themselves more and more access. However, the presence of a spy within the company has not been ruled out either, as Solntsepyuk's message on Telegram claiming responsibility for the attack expressed gratitude to “concerned colleagues” at Kyivstar, which could indicate that someone deliberately created the security vulnerability.