Russian hackers were inside Ukraine telecoms giant for months - cyber spy chief

VEON

04/01/2024 06:30

* 
      Illia Vitiuk is cyber chief in Ukraine's SBU spy agency
    

        * 
      Kyivstar hack destroyed telecoms giant's "core", he says
    

        * 
      Russian military spy unit Sandworm seen behind hack
    

        * 
      SBU caught Sandworm in earlier telecoms breach - Vitiuk
    

  
    By Tom Balmforth
       LONDON, Jan 4 (Reuters) - Russian hackers were inside
Ukrainian telecoms giant Kyivstar's system from at least May
last year in a cyberattack that should serve as a "big warning"
to the West, Ukraine's cyber spy chief told Reuters.
    The hack, one of the most dramatic since Russia's full-scale
invasion nearly two years ago, knocked out services provided by
Ukraine's biggest telecoms operator for some 24 million users
for days from Dec. 12.
    In an interview, Illia Vitiuk, head of the Security Service
of Ukraine's (SBU) cybersecurity department, disclosed exclusive
details about the hack, which he said caused "disastrous"
destruction and aimed to land a psychological blow and gather
intelligence.
    "This attack is a big message, a big warning, not only to
Ukraine, but for the whole Western world to understand that no
one is actually untouchable," he said. He noted Kyivstar was a
wealthy, private company that invested a lot in cybersecurity.
    The attack wiped "almost everything", including thousands of
virtual servers and PCs, he said, describing it as probably the
first example of a destructive cyberattack that "completely
destroyed the core of a telecoms operator."
    During its investigation, the SBU found the hackers probably
attempted to penetrate Kyivstar in March or earlier, he said in
a Zoom interview on Dec. 27.
    "For now, we can say securely, that they were in the system
at least since May 2023," he said. "I cannot say right now,
since what time they had ... full access: probably at least
since November." 
    The SBU assessed the hackers would have been able to steal
personal information, understand the locations of phones,
intercept SMS-messages and perhaps steal Telegram accounts with
the level of access they gained, he said.
    A Kyivstar spokesperson said the company was working closely
with the SBU to investigate the attack and would take all
necessary steps to eliminate future risks, adding: "No facts of
leakage of personal and subscriber data have been revealed."
    Vitiuk said the SBU helped Kyivstar restore its systems
within days and to repel new cyber attacks.
    "After the major break there were a number of new attempts
aimed at dealing more damage to the operator," he said.
    Kyivstar is the biggest of Ukraine's three main telecoms
operators and there are some 1.1 million Ukrainians who live in
small towns and villages where there are no other providers,
Vitiuk said.
    People rushed to buy other SIM cards because of the attack,
creating large queues. ATMs using Kyivstar SIM cards for the
internet ceased to work and the air-raid siren - used during
missile and drone attacks - did not function properly in some
regions, he said.
    He said the attack had no big impact on Ukraine's military,
which did not rely on telecoms operators and made use of what he
described as "different algorithms and protocols".
    "Speaking about drone detection, speaking about missile
detection, luckily, no, this situation didn't affect us
strongly," he said.
    
    RUSSIAN SANDWORM
    Investigating the attack is harder because of the wiping of
Kyivstar's infrastructure.
    Vitiuk said he was "pretty sure" it was carried out by
Sandworm, a Russian military intelligence cyberwarfare unit that
has been linked to cyberattacks in Ukraine and elsewhere.
    A year ago, Sandworm penetrated a Ukrainian telecoms
operator, but was detected by Kyiv because the SBU had itself
been inside Russian systems, Vitiuk said, declining to identify
the company. The earlier hack has not been previously reported.
    Russia's defence ministry did not respond to a written
request for comment on Vitiuk's remarks.
    Vitiuk said the pattern of behaviour suggested telecoms
operators could remain a target of Russian hackers. The SBU
thwarted over 4,500 major cyberattacks on Ukrainian governmental
bodies and critical infrastructure last year, he said.
    A group called Solntsepyok, believed by the SBU to be
affiliated with Sandworm, said it was responsible for the
attack.
    Vitiuk said SBU investigators were still working to
establish how Kyivstar was penetrated or what type of trojan
horse malware could have been used to break in, adding that it
could have been phishing, someone helping on the inside or
something else.
    If it was an inside job, the insider who helped the hackers
did not have a high level of clearance in the company, as the
hackers made use of malware used to steal hashes of passwords,
he said.
    Samples of that malware have been recovered and are being
analysed, he added.
    Kyivstar's CEO, Oleksandr Komarov, said on Dec. 20 that all
the company's services had been fully restored throughout the
country. Vitiuk praised the SBU's incident response effort to
safely restore the systems.
    The attack on Kyivstar may have been made easier because of
similarities between it and Russian mobile operator Beeline,
which was built with similar infrastructure, Vitiuk said.
    The sheer size of Kyivstar's infrastructure would have been
easier to navigate with expert guidance, he added.
    The destruction at Kyivstar began at around 5:00 a.m. local
time while Ukrainian President Volodymyr Zelenskiy was in 
Washington, pressing the West to continue supplying aid.
    Vitiuk said the attack was not accompanied by a major
missile and drone strike at a time when people were having
communication difficulties, limiting its impact while also
relinquishing a powerful intelligence-gathering tool.
    Why the hackers chose Dec. 12 was unclear, he said, adding:
"Maybe some colonel wanted to become a general."

 (Editing by Mike Collett-White and Timothy Heritage)
 ((tom.balmforth@thomsonreuters.com))