Telecom provider tower showing Russian hackers backdoor access

Russian Hackers Had Backdoor Access to Ukraine’s Largest Telecoms Provider For Over Half of 2023

The head of cybersecurity for the Security Service of Ukraine (SSU) has told the media that Russian hackers had access to Ukraine’s biggest telecoms provider for most of 2023, and likely had “full access” for at least the months of November and December.

The Russian hackers began probing Kyivstar, the largest of Ukraine’s three major telecoms providers, in March of 2023 and are thought to have established a long-term foothold in May. The attackers were potentially able to intercept customer SMS messages, access private profiles, track the locations of individuals, and even access Telegram and other accounts by abusing authentication.

Russian hackers dwelled in Ukrainian telecom giant’s systems for the back half of 2023

The SSU says that Kyivstar is now safe from the Russian hackers, but the incident sent Ukrainians scrambling to switch to a new telecoms provider. Some, particularly those in more rural areas, have no other available option due to lack of coverage. The SSU says that the incident had no impact on the country’s military and was likely directed at civilian targets, but some air raid sirens used to warn of incoming missile and drone attacks ceased to function for some time.

The Russian hackers closed out the espionage campaign with a bang on December 12, wiping out most of the PCs and virtual machines at the company’s core. The telecoms provider was able to restore service within days, however, and with new renewed defensive measures thanks to assistance from the SSU. A spokesperson for the agency says that it is most likely the work of Sandworm, a notorious group of state-sponsored hackers that regularly targets Ukraine’s utilities and critical infrastructure.

The telecoms provider has about 25 million subscribers to its home and mobile internet service, and most were without a connection for at least some amount of time after the Russian hackers attacked the computers. Though the attack was highly damaging, the group’s primary goal was likely to cover its tracks after discovery rather than to do permanent damage to Kyivstar. A December 13 Facebook message from the company indicated that no customer data was permanently deleted during the incident.

Telecoms provider targeted by highly advanced Russian units

Illia Vitiuk, head of the SSU’s cybersecurity unit, said that it is possible that the telecoms provider had an insider threat helping the Russian hackers. However, that insider would not have had a very high security clearance level as the hackers had to deploy malware to steal hashed passwords from the network.

Sandworm is an Advanced Persistent Threat (APT) group that has been active since at least 2007 and is believed to be operated directly by the GRU. The Russian hackers have been linked to major incidents in Ukraine dating back to the annexation of Crimea in 2014, deploying a Microsoft Office zero-day to break into government systems. The group logged major attacks against Ukraine’s power grid that caused days-long outages in both 2015 and 2016, and is also thought to have distributed the NotPetya malware in 2017 and attacked the 2018 Winter Olympics in South Korea. The group again attacked Ukraine’s power grid in 2022, prompting members of the UC Berkeley School of Law to petition the International Criminal Court to bring war crime charges against them.

Sandworm is far from the only group of Russian hackers that have been peppering Ukraine with attacks, however. Another major telecoms provider (that has not been named) was targeted in 2023, according to an October interview with Vitiuk. Russia has also been attempting to block Elon Musk’s Starlink satellite internet service in the country, though apparently without much effect. Sustained distributed-denial-of-service (DDoS) campaigns have also been a feature of the invasion since it began with government, airport and financial websites frequently targeted. The exchanges between both sides have been described as the largest cyber conflict to date in the digital age, and the first ever to feature significant sustained attacks by both sides over such a long period.

The war is approaching the start of its third year, and the overall status is as unclear as it has ever been. Russia is holding eastern territories that it took early in the war, but the BBC and other major news outlets were reporting the conflict as a “stalemate” as of December 2023. Given that, the telecoms providers and other critical infrastructure companies can expect more of these advanced cyber attacks for an indeterminate period. The US and allies have been providing cybersecurity assistance to the country from early in the war, including sending teams from the US Cyber Command and providing tens of millions of dollars in financial aid. With most of the action highly classified and the “fog of war” of inaccurate information and propaganda put out by both sides, it is extremely difficult to determine how long Ukraine’s connected companies will have to be on high alert.