Russian Sandworm Hackers Lurked Inside KyivStar Systems in KyivStar Cyber Attack

Written by Mitchell Langley

January 5, 2024

Russian Sandworm Hackers Lurked Inside KyivStar Systems in KyivStar Cyber Attack

The Russian Sandworm hackers successfully breached Kyivstar and stayed inside KyivStar systems for several months.

Ukraine’s largest telecommunications service provider, in December, resulting in the complete wiping of all systems on the company’s core network.

As a result of the KyivStar cyber attack, the telecommunications provider experienced a complete shutdown of its mobile and data services, leaving its 25 million subscribers without internet access.

Illia Vitiuk, the head of the Security Service of Ukraine’s (SSU) cybersecurity department, confirmed in an interview with Reuters that the breach occurred in May 2023.

The cyberattackers executed the KyivStar cyber attack several months after infiltrating the system, resulting in the destruction of numerous virtual servers and computers.

Their actions had a devastating impact on the core infrastructure of the telecommunications operator, causing significant damage.

“For now, we can say securely, that they were in the system at least since May 2023. I cannot say right now, since what time they had … full access: probably at least since November,”

Illia Vitiuk says in his statement.

“After a large-scale break, we prevented a number of attempts to cause even more damage to the operator,”

“Currently, the cyber specialists of the Security Service are already researching individual samples of malware used by the enemy. The attack was carefully prepared for many months.”

Vitiuk added in the statement published on the website.

The KyivStar cyber-attack had a significant impact on the civilian population of the country; however, it is worth noting that military communications remained largely unaffected.

Illia Vitiuk explained that this was due to the implementation of different algorithms and communication protocols by Ukraine’s Defense Forces, which helped safeguard their systems from the attack.

Russian Sandworm Military Hackers Take Responsibility for KyivStar Cyber Attack

After the KyivStar telecom cyberattack, both the CEO of Kyivstar and the Security Service of Ukraine (SSU) raised the possibility of Russian hackers being responsible for the attack, considering the ongoing conflict between Ukraine and Russia.

The following day, a group called Solntsepek, believed to be affiliated with the Russian military hacking group Sandworm, claimed responsibility for the cyberattack.

According to their statement, they are the ones who carried out the KyivStar telecom cyberattack and successfully wiped out 10,000 computers and thousands of servers on Kyivstar’s network.

“We, the Solntsepek hackers, take full responsibility for the cyber attack on Kyivstar. We destroyed 10 thousand computers, more than 4 thousand servers, all cloud storage and backup systems,” the group said in a Telegram post.

“We attacked Kyivstar because the company provides communications to the Armed Forces of Ukraine, as well as government agencies and law enforcement agencies of Ukraine.”

In a recent update, Vityuk officially confirmed that the December attack on Kyivstar was indeed orchestrated by the Russian military intelligence unit known as Sandworm.

He further revealed that Sandworm has been involved in multiple cyberattacks targeting various Ukrainian entities, specifically focusing on telecom operators and internet service providers (ISPs).

According to a report released by Ukraine’s Computer Emergency Response Team (CERT-UA) in October, Russian Sandworm hackers have successfully breached the networks of 11 Ukrainian telecom service providers since May 2023.

These attacks have resulted in service disruptions as the hackers utilized scripts to wipe out Mikrotik equipment and backups during the final stages of their operations to make the recovery process more challenging.

Related Articles

Daixin Ransomware Claims Omni Hotels Cyberattack

Daixin Ransomware Claims Omni Hotels Cyberattack

The Daixin Team ransomware gang has taken responsibility for a recent cyberattack on Omni Hotels & Resorts and is currently issuing threats to publish sensitive customer information unless a ransom is paid. This development comes after the hotel chain experienced...

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!