Russia's Sandworm officially blamed for Kyivstar cyberattack

Ukrainian security services investigating possible insider threat

Russia's Sandworm officially blamed for Kyivstar cyberattack

Ukraine's security services say the attack "destroyed the core" of Ukraine's largest telco.

The December cyberattack on Kyivstar, Ukraine's largest telecoms operator, was likely perpetrated by Sandworm, a state-sponsored Russian hacking group thought to be a military intelligence cyberwarfare unit.

Sandworm has precedent for attacking Ukraine, launching multiple attacks against the country's infrastructure in the early days of the war.

Illia Vitiuk, head of the Security Service of Ukraine's (SBU) cybersecurity department, told Reuters that the attack was "a big message" to Ukraine and the West "to understand that no one is actually untouchable."

The SBU found that the attackers may have breached Kyivstar in March or earlier, were definitely in the system from May 2023, and had full access "probably at least since November."

Using that access they would have been able to take personal information, pinpoint phone locations and possibly even steal Telegram accounts.

The SBU helped Kyivstar restore its systems and protect itself against further attacks - several of which were identified - in the days after the first wave of destruction.

A source at the SBU said in December that the level of damage to Kyivstar's infrastructure, and lack of any financial demand, indicated a like state-sponsored culprit. Vitiuk now says he is "pretty sure" that Sandworm is responsible.

He added that Sandworm had penetrated a Ukrainian telco a year earlier - which had not previously been announced - but was found because the SBU was itself inside Russian systems.

A group called Solntsepyok ('Scorching sunlight'), which the SBU believes is affiliated with Sandworm, has claimed responsibility.

Cleaning house

The SBU is now helping Kyivstar identify the starting point for the attack. A malicious insider, phishing and other methods are being investigated.

If it was an insider the SBU believes it was someone with a relatively low level of clearance, as the hackers had to use malware to steal password hashes. However, the size of Kyivstar's infrastructure - the largest telco in Ukraine - would have made it difficult to navigate without guidance, Vitiuk said.

The attack, on 12th December, was not accompanied by a ground-based offensive or artillery strikes, leaving the reasoning behind the date unclear.

"Maybe some colonel wanted to become a general," he speculated.