On December 13, the Russian hacker group ‘Solntsepek’ stated that it was behind the attack on the Ukrainian mobile operator Kyivstar.
They claim to have destroyed 10,000 computers, more than 4,000 servers, and all of the company’s cloud storage and backup systems. Moreover, they did this allegedly with the help of disaffected Kyivstar employees.
Solntsepek did not report a data breach; however, they attached screenshots of the operator’s internal documentation to the post.
They explained selecting Kyivstar as a target because it provides connectivity for the Ukrainian Armed Forces, as well as for government agencies and security services.
In addition, Solntsepek announced attacks on other companies.
According to the SBU, this group is a unit of the Main Directorate of the General Staff of the Russian Armed Forces (GRU).
The group could be backed by Russia’s Sandworm, which in 2015 infected Ukraine’s energy and banking sectors with the NotPetya virus, according to media citing sources.
Experts note that the hackers gained access to key infrastructure nodes — the domain controller and virtualization services. Based on this, the attack could have been in preparation for several months.
Due to the disruption, restoration work will take an indefinite time. However, by December 13 Kyivstar planned to resume fixed home Internet service, as well as begin restoring mobile and Internet services.
In connection with the cyberattack, criminal proceedings opened under eight articles:
- unauthorized interference in the operation of information systems;
- creation and distribution of malware;
- encroachment on Ukraine’s territorial integrity and inviolability;
- treason;
- sabotage;
- waging and conducting an aggressive war;
- violation of the laws and customs of war;
- creating a criminal organization.
In Kyivstar’s offices, investigators conducted on-site actions to document the circumstances of the incident.
Hackers gained access to Kyivstar’s internal infrastructure through a compromised account belonging to one of the company’s employees, said CEO Alexander Komarov on a telethon.
He added that in any organization there can be people who, effectively, ‘help direct Russian missiles or hand over their passwords, because social engineers do their jobs well’.
Earlier, on the morning of December 12, Kyivstar experienced a large-scale outage, which the company later linked to the hacking attack.
Subscribers were unable to access services and the Internet. Indirectly this affected Kyivstar’s POS terminals and PrivatBank ATMs.
Nevertheless, the mobile operator assured that customers’ personal data were not compromised.