Russian hackers wiped thousands of systems in KyivStar attack - BleepingComputer
2024-01-04 13:58 (EST)
The Russian hackers behind a December breach of Kyivstar, Ukraines largest telecommunications service provider, have wiped all systems on the telecom operators core network.
Following the incident, Kyivstars mobile and data services went down, leaving most of its 25 million mobile and home internet subscribers without an internet connection.
Illia Vitiuk, the head of the Security Service of Ukraines (SSU) cybersecurity department, told Reuters in an interview that the threat actors breached Kyivstars network in May 2023.
They launched the attack months later, wiping thousands of virtual servers and computers and "completely" destroying "the core" of the telecoms operator.
"For now, we can say securely, that they were in the system at least since May 2023. I cannot say right now, since what time they had ... full access: probably at least since November," he said.
"After a large-scale break, we prevented a number of attempts to cause even more damage to the operator," Vitiuk added in a statement published on Thursday SSUs website.
"Currently, the cyber specialists of the Security Service are already researching individual samples of malware used by the enemy. The attack was carefully prepared for many months."
The cyberattack had a considerable impact on the countrys civilian population, yet it notably did not significantly disrupt military communications. Vitiuk said that this is because of Ukraines Defense Forces employing different algorithms and communication protocols.
Breached by Sandworm military hackers
Following the incident, Kyivstars CEO and the SSU suggested that Russian hackers may have been involved, given the ongoing conflict between Ukraine and Russia.
One day later, the attack was claimed by Russian hackers from the Solntsepek group (believed to be linked to the Sandworm Russian military hacking group). They said they wiped 10,000 computers and thousands of servers on Kyivstars network.
"We, the Solntsepek hackers, take full responsibility for the cyber attack on Kyivstar. We destroyed 10 thousand computers, more than 4 thousand servers, all cloud storage and backup systems," the group said in a Telegram post.
"We attacked Kyivstar because the company provides communications to the Armed Forces of Ukraine, as well as government agencies and law enforcement agencies of Ukraine."
Today, Vityuk confirmed that Sandworm was behind the December attack on Kyivstar, saying that this Russian military intelligence unit carried out other cyberattacks targeting Ukrainian targets, "in particular [..] telecom operators and ISPs."
An October report from Ukraines Computer Emergency Response Team (CERT-UA) revealed that Russian Sandworm hackers breached the networks of 11 Ukrainian telecom service providers since May 2023.
This has led to service interruptions after the hackers deployed scripts during the final stages of the attacks to wipe Mikrotik equipment and backups to make recovery more challenging.
