The Security Service of Ukraine (SBU) is gathering evidence on Russian intelligence hackers who were behind last December's attack on Kyivstar and will pass the materials to the International Criminal Court (ICC), SBU cybersecurity chief Illia Vitiuk said in an interview with Ukrinform published on April 4.
Ukraine came under a massive cyberattack in December 2023 that targeted Kyivstar, the country's leading telecommunications provider. People across the country reported internet and network outages, as well as issues with air raid alerts.
The SBU linked the attack to SandWorm, which is reportedly "a full-time unit" of Russia's military intelligence agency, the GRU. Vitiuk said Ukraine had identified SandWorm through their specific "handwriting" and "specially created software products" used to download files.
Shortly after the cyberattack, a Russian hacker group, Solntsepek, claimed responsibility for the attack. Ukraine's security service linked Solntsepek to the aforementioned SandWorm.
"We need to conduct a series of examinations on suffered losses and the affected systems. After all, information from a large number of virtual and physical servers were destroyed, and many computers were wiped completely," the SBU cybersecurity chief said when asked about the progress of the investigation.
"We made requests to our international partners and intelligence services to obtain certain information," he added.
According to the SBU official, Ukraine will soon announce official charges based on collected evidence, which will be referred to the ICC in The Hague.
VEON, the Dutch telecommunications operator and Kyivstar's parent company, said that the damages of the cyberattack amounted to Hr 3.6 billion ($93 million).
The losses stemmed from costs incurred restoring services, replacing lost equipment, or compensating external consultants and partners.
Vitiuk also said that the same hackers who were behind the Kyivstar cyberattack attempted many times to break into the communications systems of Ukraine's Armed Forces and the Defense Ministry.
"But we thwarted these attempts," he added.
According to Vitiuk, SandWorm attempted to target 1,700 Ukrainian devices in an attempt to infect Ukraine's military software, "Kropyva" (Nettle), since the start of the full-scale war. The hackers used seven different types of malware in these attempts, he added.
While GRU's SandWorm focuses on attacks against telecommunications, Internet providers, and the energy sector, Russia has other cyber warfare units, Vitiuk explained.
Groups working for Russia's Federal Security Service (FSB) include Armageddon, which is focused on computer viruses and phishing emails, as well as Turla or Dragonfly.
Nate Ostiller
(Updated: )
