Russian hackers who shut down Kyivstar had penetrated the company's internal system months before the attack and likely had access to a variety of users' personal data, said Illia Vitiuk, the cybersecurity chief of the Security Service of Ukraine (SBU), in an interview with Reuters published on Jan. 4.
Ukraine came under a massive cyberattack on Dec. 12, which targeted Kyivstar, the largest telecommunications provider, and one of the country's most important banks, Monobank. People across the country reported internet and network outages, as well as issues with air raid alerts.
A Russian hacker group called Solntsepek claimed responsibility for the attack against Kyivstar in a statement published on Telegram on Dec. 13.
Vitiuk said that he was "pretty sure" the attack was carried out by Sandworm, a unit of Russia's military intelligence (GRU), which the SBU has linked to Solntsepek.
Kyivstar CEO Oleksandr Komarov said that hackers had managed to break through the company's cyber security measures through the compromised account of an employee.
The day after the attack, the company denied that any computers or servers had been destroyed and claimed that subscribers' personal data remained safe.
Kyivstar reiterated to Reuters on Jan. 4 that "no facts of leakage of personal and subscriber data have been revealed," adding that the company was cooperating closely with the SBU to investigate the attack.
A Kyivstar spokesperson, Iryna Lelichenko, said on Facebook the same day that "various versions (of how the attack took place) are being considered and voiced, but none of them can be seen as final until the official conclusion of the investigation."
"The cyber attack on the Kyivstar network affected some technological systems responsible for communication, but they were restored within a few days thanks to the professional work of the company's specialists and partners."
According to Lelichenko, Kyivstar has already carried out additional measures for cyber protection, including strengthening access control and implementing additional server and workstation control systems, and is planning further steps to bolster cyber security.
Vitiuk refuted that assertion, saying that the attack wiped "almost everything," which included servers. He added that it was likely one of the first examples of a hacking attack that "completely destroyed the core of a telecoms operator."
Since the hackers had access to Kyivstar servers since May 2023 and full access since November, they could likely have been able to "steal personal information, understand the locations of phones, intercept text messages and perhaps steal Telegram accounts with the level of access they gained."
The attack did not impact Ukraine's military, Vitiuk said, because it has a different cybersecurity configuration and does not rely on private telecoms providers.
He added that it was important not to underestimate the threat posed by such attacks, noting that Kyivstar is a wealthy company with highly developed cybersecurity systems.
"This attack is a big message, a big warning, not only to Ukraine but for the whole Western world to understand that no one is actually untouchable," Vitiuk said.
A complete investigation on how the hackers managed to penetrate Kyivstar's cybersecurity is still ongoing, he said, including analyzing the possibility that there was someone on the inside who assisted in the attack.