Everything we know about the Kyivstar cyberattack


Kyivstar suffered an attack by Russian hackers that lasted for months and wiped out the telecommunication company’s systems.

The hack affected 24 million users for multiple days in December 2023 and had gone undetected for as long as six months.

“Kyivstar is one of Ukraine’s largest mobile operators, so it is concerning this attack wasn’t spotted sooner,” said William Wright, CEO of Closed Door Security.

The telecommunications company, which covers all major cities in Ukraine alongside other rural areas in the country, is a necessary service with 24.3 million mobile and 1.1 million home internet subscribers. Many state and commercial organizations also rely on Kyivstar.

Kyivstar’s core systems were destroyed during the most violent stage of the attack, months after the initial infiltration. Hackers wiped out thousands of virtual servers and computers while destroying the center of the telecommunications operator, BleepingComputer reported.

“Reports around the destruction of Kyivstar’s virtual infrastructure coincide with reports of air raid sirens in Kyiv malfunctioning, as well as payment terminals and multiple banks suffering disruption, and issues reported with payment for public transportation,” said Adam Meyers, head of Counter Adversary Operations, Crowdstrike.

Sandworm behind the attack

Upon investigation, Kyivstar’s CEO and the Security Service of Ukraine inferred that Russian hackers may have been responsible for the attack.

“Since the onset of the conflict, Russian cyber operators have conducted intrusion operations for espionage, information operations, and destructive purposes against Ukrainian targets,” said Meyers.

The Solntsepek – which has been previously linked to the notorious Sandworm – group quickly claimed the December attack a day later, stating that they “destroyed 10,000 computers, more than 4000 servers, all cloud storage and backup systems” in a Telegram post titled Zelensky!!! Attention!!!

In the post, they claimed to attack Kyivstar “because the company provides communications to the Armed Forces of Ukraine, as well as government agencies and law enforcement agencies of Ukraine.”

The group warned, “The rest of the offices helping the Armed Forces of Ukraine, get ready!”

Vitiuk told Reuters that the attack had “disastrous” effects with the intention of inflicting psychological torment and gathering information.

“An overarching motivation for the adversary is to contribute to psychological operations seeking to degrade, delegitimize, or otherwise influence public trust in state institutions and sectors such as government, energy, transportation, and media,” added Meyers.

Since the beginning of the war in Ukraine, the country “remains the laboratory of cyber conflict as various pro-Russia groups continue to leverage cyber and psychological operations, disinformation, and misinformation to demonstrate the impact of physical and digital warfare,” said Meyers.

Who is Sandworm?

Sandworm is a prolific state-sponsored advanced persistent threat (APT) group that has conducted various cyberattacks on Ukraine.

This includes an attempt to spoof the results of the 2014 election by attacking the Ukrainian Central Election Commission.

The hacker collective is also notorious for orchestrating the first-ever blackout triggered by hackers on the Ukrainian power grid, leaving roughly 260,000 people without power in October 2022.

How did they do it?

It’s unclear as to the intricate details of the cyberattack. However, experts believe that a phishing attack may be the initial cause of the hack.

“It’s not clear how the attack was initially executed, but if the perpetrators managed to phish an employee for their login credentials, that could have been their gateway. This would explain why the malicious activity was not detected by threat detection tools, as the adversary would have been perceived as a legitimate user,” said Mike Newman, CEO of My1Login.

If a phishing attack had occurred, there would be no cause for alarm as the attacks would be operating “under the radar,” which could escalate their “network privileges before they had everything needed to launch a powerful attack,” Newman said.

Kyivstar wrote in a post that they are “incredibly grateful” for continued “support and understanding.”

The telecommunications company continued, “The enemy does everything to separate and leave us without communication.”