The destruction at Kyivstar began at around 5:00 a.m. local time while Ukrainian President Volodymyr Zelenskiy was in Washington, pressing the West to continue supplying aid.
The attack wiped "almost everything", including thousands of virtual servers and PCs, he said, describing it as probably the first example of a destructive cyberattack that "completely destroyed the core of a telecoms operator."
Ukraine’s cyber spy chief says attack on Kyivstar should serve as a ‘BIG WARNING’ to The West
LONDON, Jan 4 (Reuters) - Russian hackers were inside Ukrainian telecoms giant Kyivstar's system from at least May last year in a cyberattack that should serve as a "big warning" to the West, Ukraine's cyber spy chief told Reuters.
The hack, one of the most dramatic since Russia's full-scale invasion nearly two years ago, knocked out services provided by Ukraine's biggest telecoms operator for some 24 million users for days from Dec. 12.
The hack, one of the most dramatic since Russia's full-scale invasion nearly two years ago, knocked out services provided by Ukraine's biggest telecoms operator for some 24 million users for days from Dec. 12.
In an interview, Illia Vitiuk, head of the Security Service of Ukraine's (SBU) cybersecurity department, disclosed exclusive details about the hack, which he said caused "disastrous" destruction and aimed to land a psychological blow and gather intelligence.
- "This attack is a big message, a big warning, not only to Ukraine, but for the whole Western world to understand that no one is actually untouchable," he said.
- He noted Kyivstar was a wealthy, private company that invested a lot in cybersecurity.
- The attack wiped "almost everything", including thousands of virtual servers and PCs, he said, describing it as probably the first example of a destructive cyberattack that "completely destroyed the core of a telecoms operator."
During its investigation, the SBU found the hackers probably attempted to penetrate Kyivstar in March or earlier, he said in a Zoom interview on Dec. 27.
- "For now, we can say securely, that they were in the system at least since May 2023," he said.
- "I cannot say right now, since what time they had ... full access: probably at least since November."
A Kyivstar spokesperson said the company was working closely with the SBU to investigate the attack and would take all necessary steps to eliminate future risks, adding:
- "No facts of leakage of personal and subscriber data have been revealed."
Vitiuk said the SBU helped Kyivstar restore its systems within days and to repel new cyber attacks.
- "After the major break there were a number of new attempts aimed at dealing more damage to the operator," he said.
Kyivstar is the biggest of Ukraine's three main telecoms operators and there are some 1.1 million Ukrainians who live in small towns and villages where there are no other providers, Vitiuk said.
- People rushed to buy other SIM cards because of the attack, creating large queues. ATMs using Kyivstar SIM cards for the internet ceased to work and the air-raid siren - used during missile and drone attacks - did not function properly in some regions, he said.
He said the attack had no big impact on Ukraine's military, which did not rely on telecoms operators and made use of what he described as "different algorithms and protocols".
"Speaking about drone detection, speaking about missile detection, luckily, no, this situation didn't affect us strongly," he said.
A woman walks past a store of Ukraine's telecommunications company Kyivstar, amid Russia's attack on Ukraine, in Kyiv, Ukraine December 12, 2023. REUTERS/Alina Smutko/File Photo
RUSSIAN SANDWORM
Investigating the attack is harder because of the wiping of Kyivstar's infrastructure.
Vitiuk said he was "pretty sure" it was carried out by Sandworm, a Russian military intelligence cyberwarfare unit that has been linked to cyberattacks in Ukraine and elsewhere.
Vitiuk said the pattern of behavior suggested telecoms operators could remain a target of Russian hackers. The SBU thwarted over 4,500 major cyberattacks on Ukrainian governmental bodies and critical infrastructure last year, he said.
A group called Solntsepyok, believed by the SBU to be affiliated with Sandworm, said it was responsible for the attack.
Vitiuk said he was "pretty sure" it was carried out by Sandworm, a Russian military intelligence cyberwarfare unit that has been linked to cyberattacks in Ukraine and elsewhere.
- A year ago, Sandworm penetrated a Ukrainian telecoms operator, but was detected by Kyiv because the SBU had itself been inside Russian systems, Vitiuk said, declining to identify the company.
- The earlier hack has not been previously reported.
Vitiuk said the pattern of behavior suggested telecoms operators could remain a target of Russian hackers. The SBU thwarted over 4,500 major cyberattacks on Ukrainian governmental bodies and critical infrastructure last year, he said.
A group called Solntsepyok, believed by the SBU to be affiliated with Sandworm, said it was responsible for the attack.
Vitiuk said SBU investigators were still working to establish how Kyivstar was penetrated or what type of trojan horse malware could have been used to break in, adding that it could have been phishing, someone helping on the inside or something else.
If it was an inside job, the insider who helped the hackers did not have a high level of clearance in the company, as the hackers made use of malware used to steal hashes of passwords, he said.
Samples of that malware have been recovered and are being analyzed, he added.
If it was an inside job, the insider who helped the hackers did not have a high level of clearance in the company, as the hackers made use of malware used to steal hashes of passwords, he said.
Samples of that malware have been recovered and are being analyzed, he added.
Kyivstar's CEO, Oleksandr Komarov, said on Dec. 20 that all the company's services had been fully restored throughout the country. Vitiuk praised the SBU's incident response effort to safely restore the systems.
- The attack on Kyivstar may have been made easier because of similarities between it and Russian mobile operator Beeline, which was built with similar infrastructure, Vitiuk said.
- The sheer size of Kyivstar's infrastructure would have been easier to navigate with expert guidance, he added.
The destruction at Kyivstar began at around 5:00 a.m. local time while Ukrainian President Volodymyr Zelenskiy was in Washington, pressing the West to continue supplying aid.
Vitiuk said the attack was not accompanied by a major missile and drone strike at a time when people were having communication difficulties, limiting its impact while also relinquishing a powerful intelligence-gathering tool.
Why the hackers chose Dec. 12 was unclear, he said, adding: "Maybe some colonel wanted to become a general."
Vitiuk said the attack was not accompanied by a major missile and drone strike at a time when people were having communication difficulties, limiting its impact while also relinquishing a powerful intelligence-gathering tool.
Why the hackers chose Dec. 12 was unclear, he said, adding: "Maybe some colonel wanted to become a general."
Editing by Mike Collett-White and Timothy Heritage
---------------------------------------------------------------------------------------------------------------
___________________________________________________________________________________
PLEASE NOTE: This report relies on two sources:
- Peter Schroeder, a former CIA analyst and former principal deputy national intelligence Officer for Russia and Eurasia at the National Intelligence Council in the Office of the Director of National Intelligence (ODNI), now an adjunct senior fellow with the Transatlantic Security Program at the Center for a New American Security.
- Ronald Marks, a former CIA officer and special assistant to the assistant director of Central Intelligence for military support.
Ukraine and Russia Turn to Sabotage Plots as the War Drags On
‘WHO CAN YOU TRUST?’
PLOTTING
With little ground gained in recent weeks, Russia and Ukraine are increasingly relying behind-the-scenes on guerrilla warfare and sabotage operations.
Nearly two years into the conflict, the front lines of Russia’s war in Ukraine have grown relatively deadlocked, with no end in sight — forcing both Russian and Ukrainian forces to get creative.
With little ground gained in recent weeks, Russia and Ukraine are increasingly relying behind the scenes on guerrilla warfare and sabotage operations to put a dent in enemy morale and disrupt rival military plans.
In recent weeks, Ukraine attacked a key Russian rail tunnel in the Severomuysky mountains in an apparent attempt to disrupt supply lines from China and North Korea.
A second train exploded just days later in the Siberian region of Buryatia.
Ukrainian Special Operations Forces blew up another train last month in Melitopol that was carrying ammunition and fuel for Russian forces.
- Assassinations or attempted assassinations in the war have piled up as well.
- Partisans allegedly killed Oleg Popov, a Russian-appointed official in the occupied Luhansk region of eastern Ukraine.
- Ukraine’s security service, the SBU, reportedly killed a Ukrainian pro-Russia lawmaker, Illya Kyva, in Russia.
The military intelligence agency of Ukraine suffered an attack in the last several weeks as well.
- Marianna Budanova, the wife of the chief military intelligence officer in Ukraine, Kyrylo Budanov, was poisoned, the agency said. Several other agency employees were afflicted as well.
- But in 2024, Russian and Ukrainian operators alike will likely increasingly rely on sabotage plots to destabilize one another as the war remains in near stalemate, veteran intelligence officers said.
These kinds of tactics are particularly pertinent at this phase of the war, according to Ronald Marks, a former CIA officer and special assistant to the assistant director of Central Intelligence for military support.
“If you’re stuck, as you are right now, with no lines moving, what you’re really looking to do is inflict as much pain as you can on both sides,” Marks told The Daily Beast.
“Basically you’re trying to undermine their will and their willingness to continue to engage in this strategy.”
Employing these tactics may achieve some strategic aims like killing off certain enemy figures or disrupting supply lines crucial to the war effort, as in the case of the Severomuysky Tunnel. But across the board, their aim is likely more about shaking morale, said Marks. . .
No comments:
Post a Comment