In the two months since Russia-linked hackers attacked Ukraine's largest telecom operator, many questions have emerged about how they gained access to the company's systems and lingered there, likely for months, undetected.
During a cybersecurity conference in Kyiv this week, Kyivstar CEO Oleksandr Komarov shed some light on what happened during the attack that left nearly 24 million customers in Ukraine without a mobile signal and internet for days.
Responding to a question from Recorded Future News about how the hackers gained initial access to Kyivstar systems, Komarov said that they likely compromised an employee account and then spent some time gaining access to other accounts, which eventually led them to those with administrative privileges.
The head of the cybersecurity department at Ukraine's security service, Illia Vitiuk, told Recorded Future News during the conference that it's unlikely that the attack on Kyivstar originated from within the company - a possibility considered in the days following the attack.
According to Vitiuk, the hackers attempted to penetrate Kyivstar in March 2023 or earlier, managed to get into the system at least as early as May, and likely gained full access to the network in November.
As for why they remained undetected for months, Komarov said that the group used a zero-day wiper malware, which Kyivstar's protection systems couldn't identify.
The hackers, previously attributed by the SBU to the Russian state-controlled threat group Sandworm, which overlaps with Seashell Blizzard and UAC-0082, planned to attack Kyivstar in two waves - targeting virtual and physical infrastructure, Komarov said.
While they succeeded in wiping out the virtual servers, their attempt to cause damage to physical equipment failed.
There are several reasons why the attack on physical infrastructure was thwarted, according to Komarov: the company swiftly responded to the incident and disconnected the equipment; a conflict arose between the two attacks, with one hindering the development of the other; and the group did not consider the diversity of vendors serving Kyivstar's physical infrastructure.
If the second wave of the attack succeeded, it could have damaged nearly 100,000 of Kyivstar's base transceiver stations that linked mobile devices to the operator's network.
Given that they can only be fixed manually, Kyivstar would have needed months to restore communication, according to Komarov.
Amid the ongoing cyber war, critical infrastructure companies are more susceptible to attacks, especially when dealing with sophisticated threat actors controlled by Russian intelligence.
Another factor exposing Kyivstar to cyberattacks is the architecture of the telecom operator's systems.
According to him, the company's infrastructure is too centralized, making it easier for hackers to navigate.
Komarov said that the company plans to restructure its systems and make them more segmented - when the network is divided into distinct zones, each with its own set of controls, access permissions, and security measures.
Citing Meta lawsuit, Khan says more aggressive FTC will not turn 'blind eye' to big tech data abuses.
DOJ shuts down 'Warzone' malware vendor and charges two in connection.
Daryna Antoniuk is a reporter for Recorded Future News based in Ukraine.
She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia.
She previously was a tech reporter for Forbes Ukraine.
This Cyber News was published on therecord.media. Publication date: Sun, 11 Feb 2024 22:14:04 +0000