Ukraine’s state security service revealed on Wednesday that Russian hackers associated with Russia’s military intelligence agency GRU had infiltrated the systems of Ukraine’s largest telecom operator, Kyivstar, for months leading up to a major cyberattack in December 2022.
Months of Access Enabled Destructive December Attack
According to a statement by Illya Vityuk, head of Ukraine’s cybersecurity department, the Russian hackers were inside Kyivstar’s systems since at least May 2022. This long-term access enabled them to study the company’s systems and networks, later launching a highly disruptive attack on December 21st that wiped data from thousands of computers.
“They had full access to the Kyivstar system for eight months,” Vityuk said. This gave them time to conduct reconnaissance while Kyivstar remained unaware of the breach.
When the Russian hackers, part of the notorious hacking group Sandworm operating under the GRU, finally initiated the cyberattack in late December, they were able to rapidly spread through Kyivstar’s networks and wipe data. The effects were severe – the attack wiped data from several thousand Kyivstar computers, deleted backups, disabled equipment, and impaired services for Kyivstar’s tens of millions of customers.
Cyber Spy Chief Warns “No One is Untouchable” from Russia
Vityuk’s revelation underscores the major cyber threat Russia poses as it continues its invasion of Ukraine. Warning that Russian hackers have already shown they can hit telecom systems in NATO countries like Estonia and Lithuania, the cyber spy chief cautioned that “no one is untouchable” from Russian cybersabotage operations. Western infrastructure could be the next target.
“Russian hackers and the Russian nation are the most dangerous threats in cyberspace,” Vityuk said.
By breaching Ukraine’s largest telecom serving about 55% of Ukrainian mobile customers, Russian forces have also gained valuable customer data and network intelligence they could exploit for surveillance, further espionage activities, or future attacks.
Months to Recover from Kyivstar Hack
Kyivstar says it could take months to recover from the extensive damage of the late December wipe attack. Following the hack, customer invoice systems were impaired and retail stores could not serve customers. Restoration work is still ongoing to rebuild wiped systems, recover lost data, and enable affected equipment.
The full impact is still being evaluated according to Kyivstar’s Chief Information Security Officer Oleksandr Bezuhlyi:
“The attack was complex and harmful, so now we are evaluating all the implications, but we keep working and our services are stable.”
Bezuhlyi also refuted claims that Russian hackers stole customer personal information, stating Kyivstar found no evidence of stolen customer data. The primary impact appears to have been disruption through destruction of data and equipment.
Telecom Networks Critical Infrastructure
As Ukraine’s largest telecom operator commanding over half of Ukraine’s mobile market, Kyivstar constitutes important communications infrastructure being actively targeted by Russia in its hybrid war on Ukraine. The December attack followed earlier DDoS attacks on Ukrainian telecoms infrastructure in April 2022 at the start of Russia’s renewed invasion.
Disruption of Ukraine’s telecommunications threatens civilian and military communications capabilities key to coordinating Ukraine’s defense. Below is a breakdown of Ukraine’s main telecom operators, their market share, and impact if networks go down:
| Operator | % Market Share | Risks if Networks Disabled |
|---|---|---|
| Kyivstar | ~55% | Loss of comms for over half of Ukraine’s population and armed forces |
| Vodafone Ukraine | ~28% | Loss of comms for over a quarter of Ukraine’s population and armed forces |
| lifecell | ~18% | Loss of comms for close to a fifth of Ukraine’s population and armed forces |
By targeting these networks, Russia degrades Ukraine’s infrastructure and civilian access to communications.
Bracing for More Cyberattacks
Ukraine’s state authorities and critical infrastructure providers are now on high alert and bracing for further Russian cyber warfare.
After the Kyivstar breach, Ukraine’s national telecom regulator appealed to operators to take additional security measures given the “real threat of massive cyberattacks by the aggressor country Russia“. State-owned enterprises like energy company Ukrenergo are also boosting cyber defenses after suffering hacks earlier in Russia’s war on Ukraine.
Meanwhile Russia continues honing its cyber arsenal, recently announcing plans to develop AI-powered cyberweapons to automate cyberattacks. The Kyivstar breach further evidences Russia’s advanced persistent threat capabilities enabling long-term, stealthy access prepping for future sabotage.
With Russian forces still occupying Ukrainian territory as the war continues, the risk of further destructive cyber actions remains high. Vityuk cautioned Western countries they could also be impacted by Russia’s aggressive hacking apparatus. The Kyivstar attack presents a sobering case study of just how extensively Russian hackers can infiltrate critical networks, biding their time to unleash chaos.
To err is human, but AI does it too. Whilst factual data is used in the production of these articles, the content is written entirely by AI. Double check any facts you intend to rely on with another source.
