Hackers infiltrate Kyivstar system months before attack, steal subscriber data

Vitiuk reveals exclusive details of the hack, which he says caused "catastrophic" damage and was aimed at inflicting a psychological blow and gathering intelligence.

"This attack is a big message, a big warning, not only to Ukraine, but for the whole Western world to understand that no one is actually untouchable," he says. He notes that Kyivstar is a wealthy private company that invests heavily in cybersecurity.

He said the attack destroyed "almost everything," including thousands of virtual servers and PCs. He called it probably the first example of a devastating cyberattack that "completely destroyed the core of a telecom operator."

During the investigation, the SSU found that the hackers probably tried to infiltrate Kyivstar in March or earlier, he says.

"For now, we can say securely, that they were in the system at least since May 2023," he says. "I cannot say right now, since what time they had ... full access: probably at least since November."

The SSU estimates that the hackers could have stolen personal information, located phones, intercepted SMS messages, and possibly stolen Telegram accounts with the level of access they had, he said.

A Kyivstar spokesperson says the company is working closely with the SSU to investigate the attack and will take all necessary measures to eliminate future risks, adding: "No facts of leakage of personal and subscriber data have been revealed."

Vitiuk says that the SSU helped Kyivstar restore its systems in a matter of days and repel new cyberattacks.

"After the major break there were a number of new attempts aimed at dealing more damage to the operator," he says.

"Kyivstar is the biggest of Ukraine's three main telecoms operators and there are some 1.1 million Ukrainians who live in small towns and villages where there are no other providers," Vitiuk says.

Because of the attack, people rushed to buy other SIM cards, creating long lines. ATMs that use Kyivstar SIM cards to access the Internet stopped working, and the air raid siren used in missile and drone attacks did not work properly in some regions, he says.

He said the attack did not have a major impact on the Ukrainian army, which did not rely on telecom operators and used what he called "different algorithms and protocols."

"Speaking about drone detection, speaking about missile detection, luckily, no, this situation didn't affect us strongly," he says.

Russian Sandworm

Investigating the attack is more difficult because of the destruction of Kyivstar's infrastructure. Vitiuk says he was "pretty sure" it was carried out by Sandworm, a cyber warfare unit of Russia's military intelligence that has been linked to cyberattacks in Ukraine and elsewhere.

A year ago, Sandworm infiltrated a Ukrainian telecom operator, but was detected by Kyiv because the SSU itself was in Russian systems, Vitiuk said, declining to name the company. The earlier hack was not previously reported.

According to Vitiuk, this pattern of behavior suggests that telecom operators may remain a target for Russian hackers. According to him, last year the SSU prevented more than 4,500 major cyberattacks on Ukrainian government agencies and critical infrastructure.

The Solntsepek group, which the SSU believes to be linked to Sandworm, has claimed responsibility for the attack.

Vitiuk says SSU investigators are still working to determine how Kyivstar was hacked or what type of trojan horse might have been used, adding that it could have been phishing, someone helping from the inside, or something else.

If it was an inside job, then the insider who helped the hackers did not have a high level of security clearance at the company, as the hackers used malware that is used to steal password hashes, he said.

Samples of this malware have been found and analyzed, he adds.

Kyivstar CEO Oleksandr Komarov said on December 20 that all services had been fully restored across the country. Vitiuk praised the SSU's incident response efforts to safely restore the systems.

According to Vitiuk, the attack on Kyivstar could have been made easier because of the similarities between it and the Russian mobile operator Beeline, which had a similar infrastructure.

He adds that the scale of Kyivstar's infrastructure would have been easier to navigate under the guidance of experts.

The Kyivstar outage began at around 5:00 a.m. local time, when Ukrainian President Volodymyr Zelenskyy was in Washington, D.C., demanding that the West continue to deliver aid.

Vitiuk says the attack was not accompanied by a major missile strike at a time when people were having trouble communicating, which limited its impact but also deprived him of a powerful intelligence-gathering tool.

Why the hackers chose December 12 was unclear, he says, adding, "Maybe some colonel wanted to become a genera."

Cyberattack on Kyivstar

The Kyivstar telecommunications company suffered a large-scale outage on December 12. Officially, the network was attacked by hackers, which has already resulted in an eight-count case.

During the outage, there was no mobile communication, mobile and home Internet.

According to UK intelligence, the cyberattack on the mobile operator is likely to be the largest-scale hacker attack since the beginning of Russia's full-scale invasion.