05 Jan 2024

Ukraine Blames Russian Intelligence for Kyivstar Attacks

Filed Under: blog
Tags: blog  RSS  OpenAI  government  APT 

In 2008, when Russia attacked Georgia, there was a lot of discussion around the fact that cyber-based attacks by nation states could be conducted in conjunction with, or lead directly to, kinetic attacks.

There was a mixed bag of opinion back then, some agreed it was bound to be the future of warfare, others thought that conclusionary leap was a bit dramatic. Considering the state of cybersecurity and the attacks of the time, and one could argue the dramatic point.

Now, nearly a decade later, we know better.

Source: Reuters [1], [2], SSU, The Register

In a direct assault, Ukraine’s largest mobile network operator, Kyivstar, fell victim to the war’s most substantial cyberattack. It was orchestrated by Russian hackers, specifically the Sandworm group, known for their affiliation with Russia’s military intelligence. The attack, initiated around May 2023, significantly disrupted Kyivstar’s services for millions of users, targeting both mobile and internet services. The intrusion inflicted “disastrous” destruction on thousands of virtual servers and PCs, “completely destroying the core of a telecoms operator.”

Illia Vitiuk, head of Ukraine’s SBU cybersecurity department, revealed that the hackers likely had full access by November 2023, enabling them to intercept sensitive data such as customer information and phone location data. The SBU, working with Kyivstar and other government agencies, has been actively involved in the recovery and investigation process. Despite the scale of the attack, there have been no reports of personal data leaks. The attack underscores the increasing use of cyber warfare in conjunction with traditional military operations, signaling a significant threat to global cybersecurity norms.

Private-sector threat analysts have expressed concerns over the potential use of Kyivstar’s network for espionage, particularly “island hopping” into Ukraine’s military networks. This method might have allowed real-time monitoring of Ukraine’s counter-offensive strategies and exposed troop locations. The attack’s psychological impact, combined with its physical disruption, exemplifies the strategic use of cyberattacks in modern warfare. Experts suggest that such incidents should serve as a warning to Western countries about the evolving nature and reach of state-sponsored cyber threats.

The pattern between these two situations really can’t be ignored. Clearly part of a Russian playbook, the attacks against Georgia in 2008 and the recent attack on Ukraine’s Kyivstar share several similarities (see below), particularly in their strategic approach and objectives.

So while the specific techniques, operators, and scale differ, the overarching strategies and objectives of these attacks reveal Russia’s consistent approach to integrating cyberwarfare into broader military and geopolitical strategies.

  1. Preceding Military Actions: Both attacks were timed with military actions. In the Russo-Georgian War, cyberattacks began weeks before the actual military invasion, targeting Georgian websites, including the president’s website. Similarly, the attack on Kyivstar was part of a broader strategy of hybrid warfare, where cyberattacks complemented physical military operations.

  2. State-Sponsored and Coordinated Attacks: The cyberattacks in both cases are believed to be state-sponsored. The Russo-Georgian attacks were traced back to autonomous systems controlled by a Russian criminal syndicate, RBN, implying state coordination. In the case of Kyivstar, the attack is attributed to the Russian military intelligence cyberwarfare unit Sandworm, indicating a high level of state involvement.

  3. Disruption of Communication and Information Infrastructure: A common objective in both attacks was the disruption of communication and information infrastructure.

  4. Use of Advanced Cyber Warfare Techniques: Both attacks demonstrated the use of advanced techniques operational planning.

  5. Psychological Impact and Propaganda: Both attacks had a psychological warfare component. The Russian cyber strategy against Georgia involved PSYOPs, and the Kyivstar attack aimed to cause psychological impact by disrupting essential services and possibly facilitating espionage.


-[ Return ⬏ ]-