Ukraine Fingers Russian Military Hackers for Kyivstar Outage

Ukraine’s domestic security agency on Wednesday fingered Russian military hackers as being responsible for hacking Kyivstar, in a statement acknowledging damage to the telecom operator’s digital infrastructure.

See Also: Fog of War | How the Ukraine Conflict Transformed the Cyber Threat Landscape

Ukraine’s top telecom operator was the target of a Tuesday cyberattack that knocked internet access and mobile communications offline. The company accounts for roughly half of Ukraine’s mobile subscriber base, and the outage has led to disruption in air raid sirens, retail credit payments and ATM access to major banks (see: Top Ukrainian Mobile Operator Kyivstar Hit by Cyberattack).

A spokesman for the Ukrainian ground forces said on national television Tuesday that there has been “absolutely no impact of the situation on the activities of the servicemen,” a Ukrainian business newswire reported.

The Security Service or Ukraine – the SBU – accused the Russian General Staff Main Intelligence Directorate, better known as the GRU, for the hacking. The threat actor critically damaged the telecom’s digital infrastructure, the SBU said.

“This reaffirms the use of cyberspace as a warfare domain by Russia in its aggression against Ukraine,” the State Service of Special Communications and Information Protection of Ukraine said.

The attack came as Ukrainian President Volodymyr Zelenskyy was in Washington, D.C., to boost the case for additional military aid. A proposed injection of $60 billion is being held up by congressional Republicans who are conditioning aid on tougher measures on asylum seekers and in the American Southwestern border. U.S. President Joe Biden in a joint appearance with Zelenskyy at the White House on Tuesday warned that without the additional funding, the United States will not be able to help Ukraine ward off Russian aggression. “Putin is banking on the United States failing to deliver for Ukraine. We must, we must, we must prove him wrong,” he said, referring to Russian President Vladimir Putin.

Kyivstar started restoring voice services to some clients late on Wednesday, Reuters reported. CEO Oleksandr Komarov told the newswire the attack is likely “a well-planned, long-term focused attack on Ukrainian critical infrastructure.”

Komarov said in a televised interview Wednesday that hackers had infiltrated Kyivstar through an internal employee account, a Ukrainian news outlet reported.

Two apparently Russia groups have taken responsibility for the hacking. One of them, KillNet, is likely opportunistically taking credit and has offered no proof, cybersecurity experts say. The other group is called Solntsepek. It posted on Telegram that it had “destroyed 10 thousand computers, more than 4 thousand servers, all cloud storage and backup systems,” according to machine translation from the original Russian. It posted screenshots of what appear to be Kyivstar digital infrastructure.

On its social media account, Kyivstar took a defiant stance, stating that “rumors about the destruction of our ‘computers and servers’ are simply fake.”

John Hultquist, head of threat intelligence agency at Mandiant, said that the name Solntsepek previously has served as a front for the GRU hacking group popularly known as Sandworm. “The persona was probably fabricated by the GRU to launder their operations publicly,” he added in an emailed statement. Russian state hackers have long used fronts to claim responsibility for disruptive cyberattacks. Sandworm has targeted Ukraine with cyberattacks for more than half a decade, including two disruptions of the electricity grid prior to Russia’s February 2022 invasion. Mandiant has called the group Kyiv’s “greatest threat for destructive and disruptive attacks” in cyberspace.

The SBU has initiated a criminal investigation into the cyberattack.

Kyivstar emphasized Wednesday that the hackers do not appear to have stolen information.

“We’ve seen all the screenshots from Telegram channels. But they depict deliberately collected technological data that does not belong to the personal data of our subscribers,” the company said in a Facebook post. “We state with all responsibility that your personal data is safe! The systems in which this data is stored were not affected by the hacker attack. Also, the rumors about destroying our ‘computers and servers’ are fake.”

Komarov has said Kyivstar will provide compensation to its subscribers, leading phishers to exploit the promise, the Cyberpolice of Ukraine said. Cybercriminals are using fake bots in messengers to distribute phishing links under the pretext of compensation and information about the terms of resumption of services of the Kyivstar communications operator, authorities warned.

With reporting by Information Security Media Group’s David Perera in Washington, D.C.