Ukrainian cybersecurity officials have revealed that the Russian state-sponsored threat actor known as Sandworm was inside the systems of telecom operator Kyivstar since at least May 2023.
The development was first reported by Reuters.
The incident, described as a “powerful hacker attack”, first came to light last month, disrupting access to mobile and internet services for millions of customers. Soon after the incident, a Russia-linked hacking group called Solntsepyok claimed responsibility for the breach.
Solntsepyok has been identified as a Russian threat group with affiliations to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), which also operates Sandworm.
Advanced persistent threat (APT) actors have a track record of carrying out disruptive cyberattacks, with Denmark accusing the hacking organization of targeting 22 energy sector companies last year.
Illia Vitiuk, head of the security service of the Cybersecurity Department of Ukraine (SBU), said that the attack against Kyivstar wiped out almost everything from thousands of virtual servers and computers.
The incident “completely destroyed the core of a telecom operator,” he said, noting that the attackers were likely to have had full access since at least November, months after gaining an initial foothold in the company’s infrastructure.
“The attack was meticulously prepared over the course of several months,” Vitiuk said in a statement shared on the SBU website.
Kyivstar, which has since restored its operations, said there was no evidence that customers’ personal data had been compromised. It is currently unknown how the threat actor entered its network.
It is noteworthy that the company had earlier dismissed as “false” the speculations about the attackers destroying its computers and servers.
The disclosure comes as the SBU revealed earlier this week that it took down two online surveillance cameras that were allegedly hacked by Russian intelligence agencies to spy on the defense forces and critical infrastructure in the capital city of Kyiv.
The agency said the agreement allowed the rival to gain remote control of the cameras, adjust their viewing angle, and connect to YouTube to capture “all visual information in range of the cameras.”