Russian hackers were inside Ukraine telecoms giant for months - cyber
spy chief
Send a link to a friend
 [January 04, 2024]
By Tom Balmforth
LONDON (Reuters) - Russian hackers were inside Ukrainian telecoms giant
Kyivstar's system from at least May last year in a cyberattack that
should serve as a "big warning" to the West, Ukraine's cyber spy chief
told Reuters.
The hack, one of the most dramatic since Russia's full-scale invasion
nearly two years ago, knocked out services provided by Ukraine's biggest
telecoms operator for some 24 million users for days from Dec. 12.
In an interview, Illia Vitiuk, head of the Security Service of Ukraine's
(SBU) cybersecurity department, disclosed exclusive details about the
hack, which he said caused "disastrous" destruction and aimed to land a
psychological blow and gather intelligence.
"This attack is a big message, a big warning, not only to Ukraine, but
for the whole Western world to understand that no one is actually
untouchable," he said. He noted Kyivstar was a wealthy, private company
that invested a lot in cybersecurity.
The attack wiped "almost everything", including thousands of virtual
servers and PCs, he said, describing it as probably the first example of
a destructive cyberattack that "completely destroyed the core of a
telecoms operator."
During its investigation, the SBU found the hackers probably attempted
to penetrate Kyivstar in March or earlier, he said in a Zoom interview
on Dec. 27.
"For now, we can say securely, that they were in the system at least
since May 2023," he said. "I cannot say right now, since what time they
had ... full access: probably at least since November."
The SBU assessed the hackers would have been able to steal personal
information, understand the locations of phones, intercept SMS-messages
and perhaps steal Telegram accounts with the level of access they
gained, he said.
A Kyivstar spokesperson said the company was working closely with the
SBU to investigate the attack and would take all necessary steps to
eliminate future risks, adding: "No facts of leakage of personal and
subscriber data have been revealed."
Vitiuk said the SBU helped Kyivstar restore its systems within days and
to repel new cyber attacks.
"After the major break there were a number of new attempts aimed at
dealing more damage to the operator," he said.
Kyivstar is the biggest of Ukraine's three main telecoms operators and
there are some 1.1 million Ukrainians who live in small towns and
villages where there are no other providers, Vitiuk said.
People rushed to buy other SIM cards because of the attack, creating
large queues. ATMs using Kyivstar SIM cards for the internet ceased to
work and the air-raid siren - used during missile and drone attacks -
did not function properly in some regions, he said.
He said the attack had no big impact on Ukraine's military, which did
not rely on telecoms operators and made use of what he described as
"different algorithms and protocols".
"Speaking about drone detection, speaking about missile detection,
luckily, no, this situation didn't affect us strongly," he said.
RUSSIAN SANDWORM
Investigating the attack is harder because of the wiping of Kyivstar's
infrastructure.
[to top of second column]
|
A woman walks past a store of Ukraine's telecommunications company
Kyivstar, amid Russia's attack on Ukraine, in Kyiv, Ukraine December
12, 2023. REUTERS/Alina Smutko/File Photo
Vitiuk said he was "pretty sure" it was carried out by Sandworm, a
Russian military intelligence cyberwarfare unit that has been linked
to cyberattacks in Ukraine and elsewhere.
A year ago, Sandworm penetrated a Ukrainian telecoms operator, but
was detected by Kyiv because the SBU had itself been inside Russian
systems, Vitiuk said, declining to identify the company. The earlier
hack has not been previously reported.
Russia's defense ministry did not respond to a written request for
comment on Vitiuk's remarks.
Vitiuk said the pattern of behaviour suggested telecoms operators
could remain a target of Russian hackers. The SBU thwarted over
4,500 major cyberattacks on Ukrainian governmental bodies and
critical infrastructure last year, he said.
A group called Solntsepyok, believed by the SBU to be affiliated
with Sandworm, said it was responsible for the attack.
Vitiuk said SBU investigators were still working to establish how
Kyivstar was penetrated or what type of trojan horse malware could
have been used to break in, adding that it could have been phishing,
someone helping on the inside or something else.
If it was an inside job, the insider who helped the hackers did not
have a high level of clearance in the company, as the hackers made
use of malware used to steal hashes of passwords, he said.
Samples of that malware have been recovered and are being analyzed,
he added.
Kyivstar's CEO, Oleksandr Komarov, said on Dec. 20 that all the
company's services had been fully restored throughout the country.
Vitiuk praised the SBU's incident response effort to safely restore
the systems.
The attack on Kyivstar may have been made easier because of
similarities between it and Russian mobile operator Beeline, which
was built with similar infrastructure, Vitiuk said.
The sheer size of Kyivstar's infrastructure would have been easier
to navigate with expert guidance, he added.
The destruction at Kyivstar began at around 5:00 a.m. local time
while Ukrainian President Volodymyr Zelenskiy was in Washington,
pressing the West to continue supplying aid.
Vitiuk said the attack was not accompanied by a major missile and
drone strike at a time when people were having communication
difficulties, limiting its impact while also relinquishing a
powerful intelligence-gathering tool.
Why the hackers chose Dec. 12 was unclear, he said, adding: "Maybe
some colonel wanted to become a general."
(Editing by Mike Collett-White and Timothy Heritage)
[© 2023 Thomson Reuters. All rights
reserved.]This material
may not be published, broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |
