Kyivstar telecom slowly back up after massive cyberattack, two Russian groups take claim


Ukraine’s largest mobile and internet provider Kyivstar has started to come back online after a massive cyberattack left more than half the nation’s population without service. This as two separate Russian hacker groups are claiming responsibility for the attack.

Kyivstar CEO Oleksandr Komarov – who called the Tuesday, December 12th attack "the biggest cyber attack on telco infrastructure in the world" – said voice services will be restored first, followed by data, SMS, and other services.

Hundreds of experts and dozens of institutions are said to be involved in the restoration effort.

ADVERTISEMENT

“At 18:00, our team started turning on voice communication throughout Ukraine. And we are incredibly happy that the connection is starting to appear, and you can call your relatives,” the company posted on X.

Komarov said the company would “go step by step” ensuring each rebuilt service can withstand the load before moving on to the next, hopefully over the next few days, but in reality full restoration of all services could take weeks.

Meanwhile, new information on how the Kyivstar breach took place was released late Wednesday.

“Russian hackers broke through Kyivstar's cyber security through the compromised account of one of the company's employees, Komarov said in an on-air interview, the Kyiv Independent posted on X.

Attack was 'enormous hit' attack

In total, about 24.3 million mobile, and another 1.1 million home internet subscribers, plus businesses and state offices rely on Kyivstar’s services.

ADVERTISEMENT

Besides mobile and internet outages, IT infrastructure was reported severely damaged, and in some parts of the country, air raid alert systems, relied on by citizens for safety in the event of a Russian strike, were also down.

Many stores were unable to process credit card payments, ATMs were not functioning, and automatic street lighting in some of Ukraine's largest cities failed, the Kyiv Post also reported.

"The current situation in Kyivstar is extremely difficult. I am quite confident that this is a well-planned, long-term focused attack on Ukrainian critical infrastructure," Komarov told Ukrainian news outlets on Tuesday. “It’s an enormous hit on the infrastructure,” he said.

Komarov commented that Kyivstar had withstood more than 500 hundred serious cyber attacks since the Russian invasion on February 24th, 2022.

"It was not the first attack. The number of attacks since the beginning of the invasion has grown exponentially," the CEO stated.

The telecom giant promised to compensate all subscribers and corporate clients affected by the outage once service is fully restored.

The company, which is owned by Amsterdam-listed mobile telecoms operator Veon, also posted on X Wednesday that all subscriber information and personal data were safe.

“The systems in which this data is stored were not affected by the hacker attack,” it said.

Multiple Russian gangs want credit

ADVERTISEMENT

It's not clear exactly who exactly was responsible for the unprecedented attack, but two known Russian threat groups have since claimed responsibility.

On Tuesday the notorious Russian-linked hacktivist group KillNet took claim for the “Powerful Attack” with heartbeat emojis on its Telegram channel.

“Today we are back. An attack was carried out on Ukrainian mobile operators, as well as on some banks. Today we were just testing what our new colleagues are capable of…” the group posted.

KillNet Kyivstar claim
KillNet Telegram channel, December 12, 2023. Image by Cybernews.

But on Wednesday, another known Russian-affiliated gang – known as Solntsepyok – said it was responsible for the attack, also posting a claim on Telegram.

Solntsepyok, which translates to Sun Blaze, posted screenshots that seemed to show they had access to Kyivstar's servers, according to Reuters news agency.

"We attacked Kyivstar because the company provides communications to the Ukrainian Armed Forces, as well as state bodies and Ukraine's security forces," Solntsepyok post said.

"To the other offices helping the Ukrainian Armed Forces: be prepared!"

Solntsepyok also posted it had destroyed more than 10,000 Kyivstar computers, 4,000 servers, as well as its cloud storage and backup systems.

“We assure you that the rumors about the destruction of our "computers and servers" are simply fake, Kyivstar posted on X.

ADVERTISEMENT

Meanwhile, Ukraine's domestic intelligence agency services, the Security Service of Ukraine (SBU), also said on Wednesday that a Russian group claiming the attack was a hacking unit of Russia's military intelligence service GRU.

Ukraine’s cyber defense agency, the State Service of Special Communications and Information Protectorate (SSSCIP), said in a statement it was investigating Moscow’s possible ties to the attack in tandem with the SBU.

"Responsibility for the cyberattack was taken by one of the Russian groups whose activities are associated with the main directorate of the General Staff of the Armed Forces of the Russian Federation [Russia's GRU military intelligence agency], the SBU said.

"This once again confirms Russia's use of cyberspace as one of the domains of the war against Ukraine," it said, without naming the suspected group.

Russia has repeatedly denied being behind such cyberattacks.

Earlier this year, the SSSCIP identified Solntsepyok as a front for a Russian hacking group dubbed "Sandworm" which has been previously linked to the GRU.

ADVERTISEMENT