Kyivstar cyber attack a warning to the West, security expert says

The attack should show not only Ukraine but also the whole Western world that "noone is actually untouchable," Illia Vitiuk, head of the cybersecurity department at governmental security agency the Security Service of Ukraine – known locally as the SBU – said in a recent interview with Reuters, the details of which hit the wires this week.

Vitiuk qualified his comment by pointing out that Kyivstar is a wealthy private company that has invested heavily in cyber-security. Essentially, if it can be brought down as comprehensively as it was last year, anyone can.

Kyivstar suffered what it described as one of the largest cyber attacks in the history of the global telecoms market in mid-December, leaving its 24.1 million mobile customers and 1.1 million fixed-line customers unable to use its services. It set about restoring comms almost immediately, but it took several days for the operator to be fully up and running again.

The SBU helped with that restoration effort and assisted the company in efforts to repel new attacks – we have now learned that there were several new attempts made – and has since worked closely with Kyivstar to investigate the circumstances of the attack.

The investigation revealed that the hackers likely attempted to penetrate Kyivstar as long ago as March last year and actually succeeded in May or possibly even earlier. They had full access to its systems from about November, Vitiuk told Reuters.

That means they had plenty of time to harvest data. They would have been able to steal personal information, track the locations of phones, intercept text messages, and potentially access accounts on social media platform Telegram, which many Ukrainians use for news and information. Kyivstar insists the investigation has not uncovered leaks of personal data though.

Fingers were naturally immediately pointed at Russia when the attack occurred. Russian hacktivist group Killnet claimed responsibility via its Telegram account, while a group known as Solntsepyok also said it was behind the attack.

Following the investigation, Vitiuk is able to say he is "pretty sure" that the attacker was a group known as Sandworm, a Russian military intelligence cyberwarfare unit that it believes is affiliated with Solntsepyok.

Sandworm has previous. Vitiuk shared that it penetrated a Ukrainian telecoms operator – that he declined to name – a year ago but was thwarted due to the fact that the SBU had itself been inside Russian systems.

Investigations into the way hackers were able to get inside Kyivstar are ongoing, Vitiuk said. The SBU is looking at the possibility of phishing, trojan horse malware and other options, including assistance from an insider.

The SBU has recovered certain malware related to stealing encrypted passwords and experts are currently analysing it.Doubtless there is plenty more Kyivstar can learn from the investigation, as can its peers elsewhere in the world, should it choose to share information. In the meantime though, Vitiuk is pretty clear that this is not over.

The pattern of behaviour suggests telcos could well remain a target for Russian hackers, he cautioned, noting that the SBU blocked more than 4,500 major cyber attacks on Ukrainian governmental bodies and critical infrastructure last year alone. Telcos need to keep their wits about them.