Adrian Johnson
TLDR:
- Russia-linked hackers attacked Ukraine’s largest telecom operator, Kyivstar, leaving millions of customers without mobile signal and internet for days.
- The hackers likely gained initial access to the company’s systems by compromising an employee account and then gradually escalating privileges.
The CEO of Kyivstar, Oleksandr Komarov, revealed details about the Russian cyberattack that crippled Ukraine’s largest telecom operator, leaving millions of customers without mobile signal and internet service for several days. Speaking at a cybersecurity conference in Kyiv, Komarov explained that the hackers compromised an employee account to gain initial access to the systems. They then gradually escalated their privileges to gain control over Active Directory, and from there, they could do as they pleased within the network.
The head of Ukraine’s security service cybersecurity department, Illia Vitiuk, clarified that the attack did not originate from within the company, as there was insufficient evidence to support that claim. Vitiuk stated that the investigation into the incident is ongoing and will take a long time due to the extensive damage caused by the hackers, who destroyed hundreds of Kyivstar servers and wiped thousands of computers.
While the hackers attempted to penetrate Kyivstar beginning in March 2023, they likely gained full access to the network in November of that year, remaining undetected for months. Komarov explained that the group used a zero-day wiper malware that Kyivstar’s protection systems could not identify. The hackers had planned a two-wave attack, targeting both virtual and physical infrastructure. They succeeded in wiping out virtual servers but failed to cause damage to physical equipment.
Komarov noted several reasons why the attack on physical infrastructure was thwarted. The company’s quick response included disconnecting the equipment, a conflict between the two attacks hindered their development, and the cybercriminals did not take into account the diversity of vendors serving Kyivstar’s physical infrastructure. If the second wave of the attack had succeeded, nearly 100,000 of Kyivstar’s base transceiver stations, which linked mobile devices to the network, could have been damaged. This would have required months to restore communication manually.
Komarov emphasized that the attack on Kyivstar was a meticulously planned military operation that lasted several months. However, he refuted claims that the company was ill-prepared, stating that Ukrainian telecom operators have faced continuous cyber threats since the beginning of the war. He also acknowledged vulnerabilities in the architecture of Kyivstar’s systems, which are too centralized, making them easier for hackers to navigate. The company plans to restructure its systems and implement micro-segmentation to enhance security and prevent unauthorized movement between systems.
