Russian Hacker Group, Claims To Be Responsible For Cyberattacks Against Ukraine's Largest Cellular Operator

Kyivstar, experienced a cyberattack from Russian hackers. (photo: x @TwiyKyivstar)

JAKARTA - A hacking group believed by the Ukrainian government to be affiliated with Russian military intelligence claimed responsibility for a cyberattack on Wednesday, December 13, which left Ukraine's largest mobile network completely shut down.

The attack on Kyivstar, which has 24.3 million mobile subscribers and more than 1.1 million internet users at home, took place on Tuesday, December 12 had disabled service, damaged IT infrastructure, and muted the airstrike warning system in parts of Ukraine.

An activist hacker group, or "hacktivis", called Solntsepyok, claimed in a post on the Telegram messaging app that they launched a cyberattack, and published a screenshot showing the hacker had accessed the Kyivstar server.

Russia has repeatedly denied involvement in such cyberattacks.

The Office of the Special Communications and Information Protoctorate of Ukraine (SSSCIP) said in a statement that it was investigating the incident with the SBU Interior Intelligence Agency.

"Russian groups whose activities are linked to the main directorate of the General Staff of the Russian Federation Armed Forces are responsible for this cyberattack," he said in a statement, referring to Russian military intelligence agent GRU.

"This once again confirms that Russia is using cyberspace as one of the realms of war against Ukraine," the statement added, without naming the group claiming responsibility.

Earlier this year, SSSCIP identified Solntsepyok as a disguise for a Russian hacker group named "Sandworm" previously linked to the GRU.

In a Telegram post announcing the hack, Solntsepyok thanked the unidentified "career colleagues" at Kyivstar. SBU said Tuesday that it had opened a case of betrayal following the cyberattack.

"We attacked Kyivstar because the company provided communications to the Ukrainian Armed Forces, as well as the Ukrainian state body and security forces," the shipment reads. "For other offices that help the Ukrainian Armed Forces: be prepared!"

On Tuesday, sources close to Kyivstar told Reuters that military communications were not affected by the attack.

Sandworms have been tracked by cybersecurity researchers as one of Russia's most powerful hacker groups, responsible for cyberattacks against Ukraine's energy sector.

"They regularly disguise their operations through thin hacktivist persona," said John Hultquist, who leads the threat analysis at Google's Mandiant Intelligence.

"Sandworms are Moscow's preferred weapon for cyberattacks. No other actors are close in terms of the direct threat they pose to critical infrastructure in Ukraine," he added.

Responding to a request for comment from Reuters, a Solntsepyok representative confirmed that they carried out an attack and referred to Kyivstar's internal documents posted on their group's Telegram channel.

The representative did not respond to further requests for comment, including whether Solntsepyok was connected to the GRU.

The digital blitz on Tuesday was one of the largest cyberattacks since Russia's full invasion of Ukraine in February 2022. Such attacks that cause widespread and real damage are rare and require very sophisticated techniques that are usually domains of state intelligence agencies.

In its Telegram post, Solntsepyok claims to have destroyed more than 10,000 computers and 4,000 servers in attacks on Kyivstar, including cloud storage and backup systems.

Kyivstar rejected the claim as "fake" in a shipment on X, formerly known as Twitter. Kyivstar CEO said the company was restoring some of its services last Wednesday.