While the first Ukrainian mobile operator, Kyivstar, is still seeking to restore full access to the network for its subscribers, a group of Russian-speaking hackers, called Solntsepyok, claimed responsibility, on Wednesday, December 13, for the cyberattack which, the day before, severely damaged harm the company network.
In a boastful message posted on Telegram, the group claims to have destroyed thousands of computers and servers as well as Kyivstar’s backup systems. On the same Telegram channel, unverified screenshots were also released, presented as proof that the hackers had access to critical systems of the operator. These include a mail server or the Active Directory, a sort of control tower for a computer network.
Solntsepyok has been active for over a year. The group initially seemed to focus its activity on the dissemination of private data relating to Ukrainian military or intelligence agents, probably in response to a Ukrainian site called Myrotvorets, on which lists of people presented as “enemies of Ukraine”.
Nearly 24 million customers affected
The Telegram channel is reminiscent of the Russian-speaking groups of self-proclaimed “hacktivists” which have flourished since the start of the war in Ukraine, and whose real affiliation is regularly questioned. The Ukrainian intelligence services have no doubt about the origin of “Solntsepyok”: the country’s authorities have in fact affirmed, as early as July, that this group was a false nose of the GRU, intelligence Russian military.
Specifically, Ukraine links Solntsepyok to Sandworm, an actor identified as GRU Unit 74455, which specializes in espionage and cyber offensive operations. This attribution was also confirmed by the company Mandiant, owned by Google, reports the specialist magazine Wired. “This is a group that has already claimed responsibility for attacks that we know were carried out by Sandworm”explained John Hultquist, director of threat analysis for Mandiant.
In a statement released Wednesday, Ukrainian authorities said they were aware of the claim broadcast by the group, without providing further information. The investigation into the Kyivstar hack is being led by the SBU, Ukraine’s internal security services.
More than 24 hours after the computer attack which targeted Kyïvstar, a large part of its 24 million customers are still affected by network outages, according to data from the American hosting company Cloudflare. The restart of communications is still in progress, and the company affirmed that telephone calls have now been restored throughout the territory, reports the daily Ukrainska Pravda.
On Tuesday, the gigantic outage caused by the computer attack had repercussions on other infrastructure, including a small number of bank tellers, and air warning sirens in certain regions. For Victor Zhora, former senior cybersecurity official for the Ukrainian state now targeted by an investigation for corruption, it is a question of “the most effective attack on critical infrastructure in Ukraine since February 24, 2022”he estimated on the social network