A Digital Frontline: Unpacking the Kyivstar Cyberattack and its Implications

Background of Kyivstar

Kyivstar is Ukraine's largest telecom operator, providing various services including mobile communications, broadband, and digital solutions. It plays a vital role in the nation's communication infrastructure serving millions of users including individuals, businesses, and government entities. This extensive network and its integral role in communication made it an attractive target for those seeking to disrupt services, gather intelligence, or inflict psychological impact on a national scale. 

Chronology of the Cyberattack

In May 2023, Russian hackers infiltrated Kyivstar's systems, culminating in a significant service disruption in December, affecting millions of users and national operations.

As a result, on December 12, a team of hackers penetrated the Kyivstar internal network infrastructure, which provides communications not only to millions of subscribers but also to the Armed Forces of Ukraine.

The hackers got the personal data of the company’s clients: full names, passport details, and addresses. Moreover, Tuesday's attack on Kyivstar, which has more than half of Ukraine's population as mobile subscribers, knocked out services, damaged IT infrastructure, and put millions of people in danger of not receiving alerts of potential Russian air assaults.

Who is responsible?

The responsibility for the cyberattack on Kyivstar has been attributed to Solntsepyok, a Russian hacker group allegedly linked to the Russian Armed Forces' General Staff, as reported by the Security Service of Ukraine. While Russian authorities have not officially responded to these allegations, a source from Ukraine's cyber defense suggested that the attack was likely state-sponsored. 

This statement was based on observed patterns of data cable interception, which indicated significant traffic from Russian-controlled sources targeting the affected networks. The source, requesting anonymity due to the sensitive nature of the information, emphasized the strategic and organized nature of the attack.

"There's no ransom. It's all destruction. So it's not a financially motivated attack," said the source.

Illia Vityuk, Head of the Department of Cyber Security of the Security Service of Ukraine, is “almost sure” that the attack on Kyivstar was carried out by the Russian military intelligence cyber unit Sandworm. It was associated with cyber attacks in Ukraine and other countries.

Technical Analysis of the Attack

The attack was a well-planned but not a sophisticated technological invention. It employed pretty basic hacking techniques and, of course, social engineering. The Chief Executive Officer of the Kyivstar company, Oleksandr Komarov, during the telethon, noted that someone helped the hackers from the inside. Even if he did not have a high level of access, the account was compromised, passwords were stolen and access was lost. 

“We must admit that this attack broke through our defenses. This happened because the account pool was compromised, the account of one of the employees was compromised, and the enemy was able to get inside the company’s infrastructure. An investigation into this is underway,” Komarov said.

According to the investigation, the issue is not technology, but the fact that in any organization there can be people “conditionally bringing Russian missiles or giving away their passwords because social engineers work well.” 

Reaction and Recovery of Infrastructure

In turn, the mobile operator Kyivstar did not confirm the information about the presence of Russian hackers “inside” the company for many months, as well as their access to the personal data of subscribers and their leakage. 

Oleksandr Komarov said the attack was "a result of" the war with Russia. "War is also happening in cyberspace. Unfortunately, we have been hit as a result of this war," he told national television. The attack significantly damaged our infrastructure, and limited access, we could not counter it at the virtual level, so we shut down Kyivstar physically to limit the enemy's access."

Ukraine's cybersecurity department, alongside Kyivstar, undertook immediate measures to mitigate the attack's impact, showcasing its rapid response capabilities and resilience. On the evening of December 13, Kyivstar began to gradually restore communications across Ukraine, and customers could make calls and use the mobile Internet. 

Ukrainian Hackers’ Response

On January 9, it was declared that hackers linked to Ukraine’s main spy agency breached computer systems at a Moscow-based internet provider in retaliation for a Russian cyber attack against Ukrainian telecom giant Kyivstar.

The group known as "Blackjack", associated with the Security Service of Ukraine (SBU), deleted 20 terabytes of data at M9 Telecom, a Russian internet and TV provider, leaving some Moscow residents without internet, the source said.

Ukraine's military intelligence, the GUR, announced that it had obtained a significant amount of confidential Russian military data. This information was reportedly acquired from the Special Technology Centre (STC), a Russian organization under sanctions, known for manufacturing the Orlan drone and various intelligence equipment used by Moscow.

Conclusions and Global Perspective

The Kyivstar attack is not just a regional issue but a global concern. It underlines the need for international cooperation in bolstering cybersecurity defenses. The Kyivstar cyberattack serves as a critical reminder of the importance of preparedness and resilience in the face of cyber threats. It's a call to action for continuous improvement in cybersecurity strategies worldwide.