Russians Hacked Ukrainian Phone Network – What Ukrainian Cyber ​​Security Chief Reveals

As the Russian invasion of Ukraine continues for a second year, the head of Ukraine’s cyber-espionage revealed to Reuters that the Russians had been “infiltrating” the system of Ukrainian telecommunications giant Kyivstar since at least last May.

In particular, Russian hackers had disabled the services provided by Ukraine’s largest telecommunications operator for about 24 million users for days from December 12.

What the head of cyber security reported

In an interview, Ilya Vityuk, head of the Cybersecurity Department of the Security Service of Ukraine (SBU), revealed exclusive details about the hacking, which he said created major problems and was aimed at inflicting psychological harm on citizens and gather information.

“This attack is a big message, a big warning, not only for Ukraine, but for the whole Western world to understand that no one is actually untouchable,” said Ilya Vityuk, noting that Kyivstar was a rich, private company that invested heavily in cyber security.

The attack wiped out “almost everything,” including thousands of virtual servers and computers, he said, describing it as perhaps the first example of a catastrophic cyberattack that “completely destroyed the core of a telecommunications carrier.”

When they broke into Kyivstar

During its investigation, the SBU found that hackers probably tried to infiltrate Kyivstar in March or earlier, he said in a Zoom interview on December 27.

“For now, we can say with certainty that they have been in the system since at least May 2023,” he said. “I can’t say at the moment, since when they had … full access: probably at least since November.”

The SBU estimated that hackers could steal personal information, track phone locations, intercept SMS messages and perhaps steal Telegram accounts with the level of access they gained, it said.

What representatives of the telecommunications company say

A spokesperson for Kyivstar said the company is working closely with the SBU to investigate the attack and will take all necessary measures to eliminate future risks, adding: “No incidents of personal and subscriber data leakage have been revealed.”

Vitiuk said the SBU helped Kyivstar restore its systems within days and fend off new cyber attacks. “After the big outage there were several new attempts aimed at causing more damage to the operator,” he said.

“Kyivstar is the largest of Ukraine’s three main telecommunications providers, and there are about 1.1 million Ukrainians living in small towns and villages where there are no other providers,” Vitiuk said.

“The attack did not have a big impact on the Ukrainian army”

"People rushed to buy other SIM cards because of the attack, creating long queues. ATMs using Kyivstar SIM cards for the internet stopped working and the air raid siren – used during missile and drone attacks – did not work properly in some areas," he said.

He said the attack did not have much impact on Ukraine’s military, which does not rely on telecommunications carriers and uses what he described as “different algorithms and protocols.” “In terms of drone detection and missile detection, fortunately, no, this situation has not affected us strongly,” he said.

Hard to investigate the attack – Who is behind the hackers?

Investigating the attack is more difficult due to the shutdown of Kyivstar’s infrastructure. Vitiuk said he is “pretty sure” it was carried out by Sandworm, a Russian military intelligence cyberwarfare unit that has been linked to cyberattacks in Ukraine and elsewhere.

A year ago, Sandworm infiltrated a Ukrainian telecommunications carrier but was tracked down by Kiev because the SBU itself had penetrated Russian systems, Vitiuk said, declining to identify the company. The previous hack has not been mentioned before.

Vitiuk stated that “the pattern of behavior suggests that telecom operators could remain a target for Russian hackers.” “The SBU prevented more than 4,500 major cyberattacks on Ukrainian government agencies and critical infrastructure last year,” he said.

The method of penetration into the telecommunications company is under investigation

Vitiuk said SBU investigators are still working to determine how Kyivstar was infiltrated or what kind of trojan horse malware could have been used for the breach, adding that it could have been phishing, someone helping inside or something else.

If it was an inside job, the insider who helped the hackers did not have a high level of authority at the company, as the hackers used malware used to steal password hashes, he said.

“The attack on Kyivstar may have been made easier because of the similarities between it and Russian mobile operator Beeline, which was built with similar infrastructure,” Vitiuk said.

They attacked when Zelensky was in the US

The disaster at Kyivstar began at approximately 5:00 AM. local time, while Ukrainian President Volodymyr Zelensky was in Washington, pressing the West to continue providing aid.

Vitiuk said the attack was not accompanied by a major strike with missiles and drones at a time when the world was experiencing communication difficulties, limiting its impact while giving up a powerful intelligence-gathering tool.

Why the hackers chose Dec. 12 to attack is unclear, he said, adding, “Maybe some colonel wanted to be a general.”