Vitiuk emphasized the importance of this attack as a warning to both Ukraine and the Western world, highlighting that no one is exempt from cyber threats.He noted that Kyivstar, being a wealthy and private company that heavily invested in cybersecurity, was targeted to send a strong message. The attack resulted in the destruction of numerous virtual servers and PCs, making it the first known instance of a cyberattack completely crippling a telecoms operator.
The Security Service of Ukraine (SBU) conducted an investigation and found evidence suggesting that the hackers had been inside Kyivstar’s system since at least May 2023, with full access likely gained in November. Vitiuk stated that the hackers could have potentially stolen personal information, intercepted SMS messages, and gained access to Telegram accounts. However, Kyivstar denied any leakage of personal or subscriber data, stating that they were collaborating with the SBU to investigate the attack and mitigate future risks.
Vitiuk further revealed that the SBU’s prompt response helped Kyivstar restore its systems and fend off subsequent cyberattacks. He acknowledged that the attack had a limited impact on Ukraine’s military, as they relied on different algorithms and protocols for drone and missile detection.
The investigation into the attack is challenging due to the extensive wiping of Kyivstar’s infrastructure. Vitiuk strongly suspected that the Russian military intelligence cyberwarfare unit known as Sandworm was responsible for the attack, citing their previous involvement in cyberattacks in Ukraine. He also mentioned a previous hack by Sandworm on another Ukrainian telecoms operator, detected by the SBU. Vitiuk highlighted the likelihood of telecoms operators remaining targets for Russian hackers based on their behavior patterns.
The SBU attributed the attack to a group called Solntsepyok, believed to be affiliated with Sandworm. However, the specific method used to infiltrate Kyivstar’s system has not been determined yet. Vitiuk speculated that it could have been through phishing, insider assistance, or other means. The SBU is currently analyzing recovered samples of malware used in the attack.
Kyivstar’s CEO, Oleksandr Komarov, announced that all services had been fully restored throughout the country. Vitiuk commended the SBU’s incident response efforts in safely restoring the systems. He also mentioned that the similarities between Kyivstar and Russian mobile operator Beeline may have made the attack easier to execute, as they shared similar infrastructure.
The timing of the attack on December 12 remains unclear, although Vitiuk speculated that it could have been a personal motive. He highlighted that the attack did not coincide with a major missile or drone strike, which could have caused more significant damage and provided the hackers with valuable intelligence.
In conclusion, the cyberattack on Kyivstar serves as a significant warning to Ukraine and the Western world about the vulnerability of telecoms operators to sophisticated cyber threats. The investigation is ongoing, with strong indications pointing towards Russian involvement. The SBU continues to work diligently to identify the methods used by the hackers and prevent similar attacks in the future.