Share this article on:
The Russian hackers responsible for the attack on Ukraine’s largest telco, Kyivstar, have wiped the company’s systems.
The attack, which occurred in December last year, resulted in service outages the telco originally said were the fault of a technical failure, before confirming a cyber attack.
The attack left Kyivstar’s over 25 million customer base, over half the country’s population, without mobile and home internet services.
Following the breach, the Security Service of Ukraine (SSU or SBU) said that it engaged criminal proceedings under eight articles of the Criminal Code of Ukraine.
The SSU added that it believed that Russian hackers were to blame for the attack and that the initial breach occurred in May 2023.
“For now, we can say securely, that they were in the system at least since May 2023. I cannot say right now, since what time they had ... full access: probably at least since November,” said SSU head Illia Vitiuk.
In December, months after the initial breach, the attack on the telco’s systems occurred. What originally was believed to be just an outage ended up being a major wipe of Kyivstar’s systems. The attack left thousands of computers and virtual servers wiped.
Following the breach, Kyivstar said it was working to resolve the issue and mitigate further damage.
“After a large-scale break, we prevented a number of attempts to cause even more damage to the operator,” added Vitiuk.
“Currently, the cyber specialists of the Security Service are already researching individual samples of malware used by the enemy. The attack was carefully prepared for many months.”
A day after the incident, the attack was claimed by Russian hackers from the Solntsepek group, who said they wiped thousands of servers and 10,000 computers.
“We, the Solntsepek hackers, take full responsibility for the cyber attack on Kyivstar. We destroyed 10 thousand computers, more than 4 thousand servers, all cloud storage and backup systems,” said the group on Telegram.
“We attacked Kyivstar because the company provides communications to the Armed Forces of Ukraine, as well as government agencies and law enforcement agencies of Ukraine.”
The Solntsepek is a group believed to be connected to the Sandworm Russian military hacking group.
Vitiuk has since confirmed that the attack on Kyivstar was a result of the Sandworm hackers.
Update: Cyber security firm CrowdStrike has speculated that a Russian GRU adversary by the name of Voodoo Bear may be behind the attack.
“CrowdStrike Counter Adversary Operations assesses with moderate confidence that the tradecraft in the attack against Kyivstar is likely attributable to Russian GRU adversary Voodoo Bear, operating under pro-Russian hacktivist persona Solntsepek,” said Adam Meyers, head of counter adversary operations at CrowdStrike.
“Reports around the destruction of Kyivstar’s virtual infrastructure coincide with reports of air raid sirens in Kiev malfunctioning, as well as payment terminals and multiple banks suffering disruption, and issues reported with payment for public transportation.”