Attacks and Vulnerabilities
Critical infrastructure
ICS Security Framework
Industrial Cyber Attacks
Malware, Phishing & Ransomware
News
Threat Landscape

Russian Sandworm hackers breach Kyivstar network, causing devastating damage and signaling warning to the West

January 08, 2024

Ukraine’s cyber spy chief disclosed Friday that Russian hackers had infiltrated the system of Kyivstar, a major Ukrainian telecoms company, since at least May of the previous year. This cyberattack serves as a significant warning to the Western countries, he warned in an interview with Reuters. The chief also described that attack as probably the first example of a destructive cyberattack that ‘completely destroyed the core of a telecoms operator.’

Illia Vitiuk, the head of the Security Service of Ukraine (SBU) cybersecurity department, revealed specific information about the hack that targeted Kyivstar. Vitiuk described the attack as causing ‘devastating’ damage and having the dual objectives of inflicting a psychological impact and gathering intelligence. The attack is also one where the Russian cyber threat group maintained a presence within the Kyivstar network before carrying out a large-scale attack.

The Sandworm is a Russian APT (advanced persistent threat) group affiliated with the Main Intelligence Directorate/Main Directorate (GRU/GU) of the General Staff of the Armed Forces of the Russian Federation. 

The hack, one of the most dramatic since Russia’s full-scale invasion nearly two years ago, knocked out services provided by Ukraine’s biggest telecoms operator for some 24 million users for days from Dec. 12. During its investigation, the SBU found the hackers probably attempted to penetrate Kyivstar in March or earlier.

“This attack is a big message, a big warning, not only to Ukraine but for the whole Western world to understand that no one is actually untouchable,” he said. He noted Kyivstar was a wealthy, private company that invested a lot in cybersecurity.

Vitiuk revealed that the attack wiped ‘almost everything,’ including thousands of virtual servers and PCs. “For now, we can say securely that they were in the system at least since May 2023,” he said. “I cannot say right now, since what time they had … full access: probably at least since November.”

Over time, research firms have provided details on the operations of the Sandworm APT group. These findings have shed light on the scope and impact of Sandworm activities, disclosing TTPs (tactics, techniques, and procedures) deployed by the group. 

Last November, Mandiant researchers revealed that they had responded to a cyber-physical incident in late 2022. The incident involved a targeted attack on a Ukrainian critical infrastructure organization by the Russia-linked threat actor known as Sandworm. The incident was a multi-event cyber attack that leveraged a novel technique for impacting ICS/OT (industrial control systems/operational technology). 

The Sandworm hackers initially used OT-level living off the land (LotL) techniques to likely trip the victim’s substation circuit breakers, causing an unplanned power outage that coincided with mass missile strikes on critical infrastructure across Ukraine. Sandworm later conducted a second disruptive event by deploying a new variant of CADDYWIPER in the victim’s IT environment.

Before that in September 2022, Recorded Future released a report that profiles the unique infrastructure used by the threat hacker group UAC-0113, which is linked with moderate confidence by the Computer Emergency Response Team of Ukraine (CERT-UA) to the Russian APT group Sandworm. The report focuses on the trends observed by Insikt Group while monitoring UAC-0113 infrastructure, including the recurring use of dynamic DNS domains masquerading as telecommunication providers operating in Ukraine, which shows the group’s efforts to target entities in Ukraine remain ongoing.

In April 2022, ESET researchers collaborated with CERT-UA to respond to a cyber incident affecting an energy provider in Ukraine. The Sandworm attackers are said to have attempted to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine. The attack used ICS-capable malware and regular disk wipers for Windows, Linux, and Solaris operating systems. 

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings