Ukraine’s security service has attributed the cyber-attack on mobile operator Kyivstar to Russian hacking group Sandworm.
Kyivstar is Ukraine’s largest mobile network carrier, the cyber-attack rendered internet access and mobile communications temporarily unavailable for its customers in December 2023.
Illya Vitiuk, head of the Security Service of Ukraine (SSU) Cyber Security Department, said that several follow-up attacks against Kyivstar were thwarted in the days after the initial incident.
“The enemy was hoping to strike several times in a row to keep people disconnected for as long as possible. In this case, other operators might not have been able to withstand the prolonged overload of their networks,” commented Vitiuk in an interview with news agency Reuters.
Sandworm, which is believed to be a unit of Russia’s military intelligence (GRU), has been blamed for numerous cyber-attacks on Ukraine’s critical infrastructure. This includes the notorious attack on Ukraine’s power grid in 2015, which left parts of the country without power for several hours.
Following the Russian invasion of Ukraine, Sandworm used novel OT techniques to carry out a disruptive cyber-attack targeting a Ukrainian critical infrastructure organization in late 2022, according to analysis by cyber threat intelligence company Mandiant.
Sandworm has also been linked to the largest-ever attack on critical infrastructure in Denmark, which took place in May 2023.
Impact of the Kyivstar Cyber-Attack
Vitiuk said that the security service’s subsequent investigation found that Sandworm had been in Kyvistar’s system since May 2023, gaining full access in November at the latest.
The sophisticated attack wiped thousands of virtual servers and PCs, causing “disastrous” destruction.
“SSU cyber specialists are examining samples of malware used by the enemy. The attack had been carefully prepared during many months,” added Vitiuk.
While the Kyivstar attack had a significant impact on the civilian population, Vitiuk said that military communications were not seriously affected.
In a post on the SSU website, the service stated that it has thwarted nearly 9000 cyber-attacks on Ukraine’s government resources and critical infrastructure facilities since the start of Russia’s invasion.
Concerns Over Detection Failings
Mike Newman, CEO of My1Login, said the revelation that Sandworm was present on Kyivstar’s network for many months before launching the attack raises big questions about why the attackers were not detected sooner.
“It’s not clear how the attack was initially executed, but if the perpetrators managed to phish an employee for their login credentials that could have been their gateway. This would explain why malicious activity was not detected by threat detection tools, as the adversary would have been perceived as a legitimate user,” he noted.
William Wright, CEO of Closed Door Security, believes that having spent over six months inside Kyivstar’s network, the group will have likely accessed most of the mobile operator’s data, which could be used to target the company, its customers and Ukraine going forward.
“It’s arguable that this attack on, what can be seen as critical national infrastructure, will have been used to gather as much information as possible before the attackers executed the kill switch to destroy the infrastructure. A two-pronged attack of gathering information then causing as much chaos as possible is reminiscent of the Maersk attack in 2017, which caused around $10bn of damages,” warned Wright.