Russia’s Sandstorm Was in Kyivstar Network for Six Months Before Executing Massive Attack
Ukraine spy chief said the Russian military intelligence-affiliated group destroyed Kyivstar’s virtual servers and PCs forming the core of its infrastructure.
- Weeks after suffering one of the biggest cyberattacks since the onset of the conflict with Russia, Ukraine’s spy head disclosed that Russian threat actors were inside the Kyivstar network for six months.
- Customers of Ukraine’s largest telecom carrier could thus be subject to more than just the four-day disruption it suffered in December 2023.
This week, Ukraine’s spy chief warned Western organizations of the possibility of Russia-based threat group Sandworm’s malicious operations against them. Illia Vitiuk, the head of the Department of Cyber and Information Security of the Security Service of Ukraine (SSU), also shared that Sandworm’s attack on Kyivstar, discovered in December 2023, went back to May 2023.
Besides rendering 24 million subscribers of the Ukrainian telecom major without access to cellular and data services, Mike Newman, CEO of My1Login, told Spiceworks, “This massive attack rocked Ukraine at the end of last year, putting many people in physical danger because of air raid sirens not working.”
Solntsepyok, a.k.a. Sandworm, took responsibility for the attack, which caused a four-day ordeal in the second week of December in the war-torn country. According to Vitiuk, who spoke with Reuters, the cyberattack “completely destroyed the core of a telecoms operator,” including Kyivstar’s virtual servers, PCs, and other infrastructure.
This is in direct contrast to Kyivstar’s statement from December last year, which called reports of the destruction of computers and servers “fake.” The company also added that the personal information of its customers and the systems storing it remains unaffected.
Vitiuk confirmed that while Ukraine’s largest telecom carrier was compromised in May 2023, full access to its systems was attained probably in November. “This raises questions around why they were not detected sooner and why the criminals took so long to launch such a devastating attack,” Newman said.
However, military communications remained largely unaffected because of the attack., thanks to the reliance on a separate set of algorithms and protocols, Vitiuk said.
See More: U.S. National Cybersecurity Strategy and the Business Landscape
William Wright, CEO of Closed Door Security, added, “If attackers sat on the organization’s network for over six months, they would have accessed most of the operator’s data, so only time will tell how this is used against the business, its customers and Ukraine.”
“On the surface, this looks like another hack of a business, but it’s highly likely this is a nation-state attacking another nation-state. We’ve seen a significant surge in these types of attacks since the start of the war in Ukraine,” Wright continued.
“Arguably, this attack on what can be seen as critical national infrastructure will have been used to gather as much information as possible before the attackers executed the kill switch to destroy the infrastructure. A two-pronged attack of gathering information then causing as much chaos as possible is reminiscent of the Maersk attack in 2017, which caused around $10 billion of damages.”
Sandwork is suspected to be affiliated with the Russian military intelligence agency GRU. Between May and September 2023, Sandworm compromised 11 telecom carriers, according to an October 2023 disclosure from Ukraine’s Computer Emergency Response Team (CERT-UA).
“This attack is a big message, a big warning, not only to Ukraine but for the whole Western world to understand that no one is actually untouchable,” Vitiuk said.
The initial attack path and infiltration remain undisclosed to the public, though the usual suspect for Newman remains phishing. “This would explain why malicious activity was not detected by threat detection tools, as the adversary would have been perceived as a legitimate user,” Newman said.
“If the employee never knew they had been phished, they would have no reason to report anything malicious to their security team, so the attackers could have operated under the radar, escalating their network privileges, before they had everything they needed to launch a powerful attack.”
How can organizations better detect threats within their systems? Share with us on LinkedIn, X, or Facebook. We’d love to hear from you!
Image source: Shutterstock
MORE ON CYBERATTACKS
