Russia-linked APT Sandworm was inside Ukraine telecoms giant Kyivstar for months

Ukrainian authorities revealed that Russia-linked APT Sandworm had been inside telecom giant Kyivstar at least since May 2023.

Russia-linked APT group Sandworm was inside Ukrainian telecoms giant Kyivstar from at least May 2023, the head of Ukraine’s Security Service of Ukraine’s (SBU) told Reuters.

“This attack is a big message, a big warning, not only to Ukraine, but for the whole Western world to understand that no one is actually untouchable,” said Illia Vitiuk, head of Ukraine’s SBU.

The Sandworm group (aka BlackEnergyUAC-0082Iron VikingVoodoo Bear, and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017. In 2022, the Russian APT used multiple wipers in attacks aimed at Ukraine,including AwfulShredCaddyWiperHermeticWiperIndustroyer2IsaacWiperWhisperGatePrestigeRansomBoggs, and ZeroWipe. 

In December, Kyivstar, the largest Ukraine service provider went down after a major cyber attack. The Ukrainian telecommunications company provides communication services and data transmission based on a broad range of fixed and mobile technologies, including 4G (LTE) in Ukraine.

The Kyivstar mobile network serves about 26 million mobile customers and more than 1 million broadband fixed internet customers in the country.

All mobile communications and internet access were temporarily interrupted.

Vitiuk explained that threat actors wiped “almost everything”, including thousands of virtual servers and PCs. The attack has “completely destroyed the core of a telecoms operator.”

The investigation conducted by the SBU revealed that the APT group probably attempted to penetrate Kyivstar in March or earlier.

“For now, we can say securely, that they were in the system at least since May 2023,” Vitiuk added. “I cannot say right now, since what time they had … full access: probably at least since November.”

“After the major break there were a number of new attempts aimed at dealing more damage to the operator,” he added.

The SBU determined that the threat actors would have been able to steal personal information, track the locations of phones, intercept SMS-messages and perhaps steal Telegram accounts with the level of access they gained.

The SBU helped Kyivstar in recovering from the cyber attack.

Vitiuk pointed out that the attack had no big impact on Ukraine’s military, which did not rely on telecoms operators.

“Speaking about drone detection, speaking about missile detection, luckily, no, this situation didn’t affect us strongly,” he explained.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Kyivstar)