Skip to content

Russian hacker claims responsibility for massive cyberattack in Ukraine


Published:
Cybersecurity

While Russia’s military invasion of Ukraine continues, cyberattacks are intensifying. On December 12, 2023, Kyivstar, the country’s largest telecommunications company, was hit by a massive cyberattack that knocked out mobile and internet services used by millions of people and disrupted air raid siren systems in parts of Kyiv. The attack appears to have involved Russian state-sponsored attackers and was one of the most significant cyberattacks on Ukraine’s critical infrastructure.

Figure 1. The logo of Kyivstar at the company’s headquarters in Kyiv, Ukraine

Network failure at Kyivstar

The network failure of Kyivstar occurred in the early morning of the 12th of December 2023. The company confirmed a technical issue after receiving reports from subscribers that they were unable to communicate or make calls. The reason was a hack of Kyivstar’s systems.

Kyivstar is Ukraine’s largest mobile and broadband internet provider

Founded in 1994, Kyivstar is Ukraine’s largest mobile and broadband internet provider and is part of the Dutch international communications group Veon. As of March 2023, there were 24.3 million mobile phone service subscriptions and more than 1.1 million internet service subscriptions. In an interview, Illia Vitiuk, head of cybersecurity at the Ukrainian Security Service (hereinafter “SBU”), said that the Kyivstar hack caused disastrous destruction and aimed to land a psychological blow and gather intelligence.

Impact of the cyberattack

The attack destroyed the core of Kyivstar’s communications system. About 40% of Kyivstar’s infrastructure was disabled after attackers wiped data from nearly all systems. This caused failures in the company’s mobile communications, air raid sirens and banking systems, making it the most severe cyberattack since the Russian invasion began. Ukrainians rely on mobile phone alerts to prepare for Russian air strikes.

The company, which has more than half the population of Ukraine as subscribers, was forced to shut down its network to prevent further attacks, leaving its users unable to make calls, or receive alerts. In such cases, users can typically use roaming services that allow them to communicate through the facilities of other carriers in the country, but that was not possible because the customer data registration system was partially destroyed. Kyivstar users who could no longer receive alerts began lining up at rival mobile operators stores, such as Vodafone,, Kyivstar’s biggest rival.

Air raid sirens themselves were shut down in more than 75 villages around the capital Kyiv. Financial systems were also affected, with some banking and credit card systems disabled. Civilians were significantly affected, but the Ukrainian military, which uses a different communications system, was not affected.

Sandworm was the perpetrator of the attack

Ukraine’s SBU said the attack on the infrastructure in Kyivstar was carried out by Sandworm, a cyberwarfare unit affiliated with Russia’s General Intelligence Directorate (GRU). Sandworm also conducted cyberattacks on Ukrainian power companies in 2015 and 2016 that caused power outages, resulting in system breaches and data-wiping attacks. The Kyivstar attacks appear to have used similar tactics to disrupt systems supporting critical infrastructure.

The route of entry is under investigation, but one employee’s account appears to have been used as a steppingstone to the breach, according to Kyivstar. Based on the SBU investigation, it is believed that Sandworm hackers began attempting to break into Kyivstar as late as May 2023 and gained full access after November.

In addition to the destruction of systems, there are also concerns that hackers may have been stealing Ukrainian citizens’ smartphone information by infiltrating the system. For example, the hackers may have been able to steal access to Telegram accounts by capturing location data and intercepting SMS messages from stolen personal information. Kyivstar denies any exfiltration of personal and subscriber data.

Kyivstar recovered in phases

The company’s services were restored in phases, with fixed communication services partially restored at 20:00 on the 12th of December 2023, and home fixed line internet and voice communications resumed on the 13th. Two days later, mobile communications were restored in some areas, and became available across the country on the 15th of December. With the restoration of international roaming service on the 20th, the company announced that all domestic and international services were fully restored. It had been a week since the hack was discovered.

Kyivstar says that the help from supplier companies, particularly Ericsson and Microsoft, contributed to the recovery.

The hacktivist who claimed responsibility

The Russian hacktivist group Killnet claimed responsibility for the attack via Telegram, but provided no evidence. The following day, Russian hacktivist Solntsepyok posted a statement on Telegram with screenshots showing that it had accessed Kyivstar servers, claiming to have destroyed 10,000 computers, more than 4000 servers and all cloud storage and backup systems.

Figure 2. The logo of Kyivstar at the company’s headquarters in Kyiv, UkraineAbout Cyber Security Insights

However, cybersecurity researchers are skeptical that these hacktivists could have orchestrated and executed such a highly skilled attack. The screenshots posted are also sufficient or suspect evidence of the attack. Neither group claimed responsibility for the attack after media reports of the incident, and neither group has provided sufficient evidence to prove they were the perpetrators. It is possible that these claims of responsibility were simply an attempt to raise awareness of the case or were propaganda for their own organization.

Summary

The Russian military has carried out repeated attacks using missiles and drones to target Ukraine’s critical infrastructure. The recent incident at Kyivstar appears to have been a cyberattack designed to achieve the same impact as a physical assault. When critical infrastructure is disabled, it disrupts other essential social functions. During this attack, the missile’s air raid warning system was compromised, posing a significant risk of human casualties. This incident serves as a strong reminder of the critical role of cyber defense in safeguarding infrastructure during emergencies. The seven-month gap between initial attempts and the point where attackers gained full access underscores the vital importance of continuous security monitoring for early detection and effective response to cyber threats.

About our Cyber Security Insights

This blog post is part of our The Cyber Security Insights, that are released several times every month, providing invaluable insights into the evolving threat landscape. Crafted by NTT Security Japan Inc. Consulting Services
Department’s OSINT Monitoring Team and NTT Security Sweden’s Incident Response Team, our content includes expert analysis on recent breaches, vulnerabilities, and cyber events. Stay ahead of the curve with our timely updates and actionable intelligence, ensuring your digital assets remain secure in an ever-changing environment.

Read more Cyber Security Insights here.

Sources:

Reuters “Ukraine’s top mobile operator hit by biggest cyberattack of war” 
Reuters “Hackers linked to Russian spy agency claim cyberattack on Ukrainian cell network” 
Interfax-Ukraine “Large-scale failure in work of Kyivstar mobile operator occurs” 
About Kyivstar  
Reuters “Exclusive: Russian hackers were inside Ukraine telecoms giant for months” 
Reuters “Ukraine’s top mobile operator hit by biggest cyberattack of war”
Interfax-Ukraine Cyber attack destroys about 40% of Kyivstar’s infrastructure
Interfax-Ukraine “If situation with Kyivstar outage not changed, company’s fixed-line network will be disconnected – Kyivstar president”
Interfax-Ukraine “Kyivstar system breakdown does not affect Ukrainian military operations – Ground Forces” 
WIRED “What’s in the Horrible Attack: Russian Hackers Aiming for Blackouts Across Ukraine” 
Interfax-Ukraine “Attackers hacked Kyivstar’s cyber defenses through account of one of its employees – company president”
Interfax-Ukraine “Kyivstar restores 100% of services – company president” 
Interfax-Ukraine “Kyivstar expects to fully restore services on Dec 13” 
Interfax-Ukraine Resumption of all Kyivstar services in compliance with security protocols takes time – security service
Interfax-Ukraine Kyivstar starts turning on voice communications from 18:00, hopes to restore other services within 24 hours
Interfax-Ukraine “If situation with Kyivstar outage not changed, company’s fixed-line network will be disconnected – Kyivstar president”
Reuters “Ukraine’s top mobile operator hit by biggest cyberattack of war” 
Reuters “Hackers linked to Russian spy agency claim cyberattack on Ukrainian cell network” 
KELA: 5 Questions (and Answers) About Kyivstar Incidents 


Want to know more about how we can help you with your cybersecurity?

Book a meeting with NTT Security experts to learn more about our advisory services and penetration testing. We help you protect sensitive data while ensuring privacy and convenience.