Sandworm’s Kyivstar attack should serve as a reminder of the Kremlin crew’s ‘global reach’

Russia’s Sandworm crew appear to have been responsible for knocking out mobile and internet services to about 24 million users in Ukraine last month with an attack on telco giant Kyivstar.

The criminals lurked in the telco’s systems for at least six months leading up to the attack, then wiped “almost everything,” according to Illia Vitiuk, head of the Security Service of Ukraine’s (SBU) cyber security department. In an interview published on Thursday, the spy chief reported that the “disastrous” intrusion, which wiped thousands of the operator’s virtual servers and PCs, began long before Kyivstar’s services went dark on December 12. 

The attack also reportedly disrupted the air raid alert systems in parts of Kyiv and some banking services. That same week, two separate missile attacks pelted the Ukrainian capital, injuring at least 53 people and damaging homes and a children’s hospital.

The Kyivstar hackers broke into the network in May 2023, if not earlier, according to Vitiuk, and gained full access by November. This would have given the attackers access to customer information, phone location data, SMS messages, and potentially Telegram account credentials.

Vitiuk said he’s “pretty sure” Sandworm was responsible for the break-in. This is the crew that carries out espionage, hack-and-leak, data wiping and influence campaigns – along with a host of other illicit activities – on behalf of Russia’s GRU military intelligence unit. 

“This attack is a big message, a big warning, not only to Ukraine, but for the whole Western world to understand that no one is actually untouchable,” Vitiuk warned. 

Kyivstar’s CEO Oleksandr Komarov declared the provider’s services were fully restored as of December 20. The telco did not immediately respond to The Register’s inquiries, but a Kyivstar spokesperson said it was working with the SBU to investigate the attack, and added that “no facts of leakage of personal and subscriber data have been revealed.”

Private-sector threat analysts told The Register that the attack is significant in that it wasn’t only used for espionage purposes, but also for hybrid warfare.

“The network was used to conduct island hopping into Ukraine’s military networks. I am very concerned that Ukraine’s counter offensive was monitored in real time and troop locations were exposed to facilitate drone strikes,” explained Tom Kellermann, SVP of cyber strategy at application security software vendor Contrast Security. 

“Personally, I am shocked that NATO was blind to this and did not mitigate it,” he added. “We should never underestimate Russia’s cyber militias.”

This military surveillance, combined with the psychological effects of cutting off Ukrainians’ phone and internet services for days, shows that Russia will continue to use offensive cyber attacks to augment the kinetic war, according to Adam Meyers, head of Counter Adversary Operations at CrowdStrike.

Russia’s Sandworm – not just missile strikes – to blame for Ukrainian power blackouts

Five Eyes nations warn Moscow’s mates at the Star Blizzard gang have new phishing targets

As lawmakers mull outlawing poor security, what can they really do to tackle online gangs?

Formal ban on ransomware payments? Asking orgs nicely to not cough up ain’t working

“Disrupting phones and disrupting infrastructure takes its toll on the people as the people remain resilient against the Russians,” Meyers told The Register. “When they can’t operate banks, can’t operate their phones, they’re losing access to data, and that’s combined with disinformation campaigns – it all adds up. It’s a force multiplier.”

CrowdStrike, he added, also believes that Sandworm, and its affiliate Solntsepek, is responsible for the attack.

Solntsepek previously claimed to be behind the Kyivstar attack, and CrowdStrike tracks Sandworm as VooDoo Bear. 

“Our assessment is carrying moderate confidence at this time based off of the adversary’s likely use of Solntsepek as a hacktivist front, the 2023 destructive operations in Ukraine attributed to VooDoo Bear, and various patterns associated with Solntsepek’s claims of targeting,” Meyers noted.  

This includes at least eight attacks against public and private organizations in Ukraine between April and August 2023, according to Meyers. “Each one had similar patterns of destructive activity, breaches, hack-and-leak activity, and distributed denial of service attacks and defacements, including fake news articles.”

Between July and September 2023, the gang added data wiping malware to their claims, and bragged they hit an additional 11 targets, Meyers added. 

“The big takeaway is that cyber is an undeniable and asymmetric tool, which enables countries to augment and maximize the impact of kinetic attacks,” he observed.

Western countries should heed Ukraine’s advice, and treat the Kyivstar hack as a warning, said John Hultquist, chief analyst at Google’s Mandiant Intelligence group.

“A serious, successful attack on telecoms like this should be especially disconcerting for Americans as Chinese operators have been targeting the sector in this country recently for similar purposes,” he told The Register. “This incident is a reminder that a major disruption of communications isn’t a far-fetched scenario.

Mandiant has also blamed Sandworm for blackouts in Ukraine in October 2022, previously believed to be caused by missile strikes. Some of the blackouts were caused by strikes on Ukraine’s electrical grid. However, a seemingly coordinated cyber attack on one of the country’s power plants also played a role, according to the threat hunters. 

“Sandworm has turned out the lights multiple times in Ukraine, but their reach is global,” Hultquist warned. “They targeted elections in the US and France, attacked the opening ceremonies at the Olympics, and they were responsible for the global NotPetya attacks – the most expensive cyber attack in history.” ®