Kyivstar wiper attack
Russia's Sandworm group destroyed thousands of virtual servers and workstations at Kyivstar, Ukraine's largest mobile operator, knocking out service for some 24 million subscribers and disrupting air-raid alerts, banking and payments in the most damaging cyberattack on Ukrainian telecoms since the 2022 invasion.
- Victim
- Kyivstar
- Loss
- $95.0M
- users
- 24.0M
On 12 December 2023, Kyivstar, Ukraine's largest mobile operator, suffered what officials called one of the most damaging cyberattacks on Ukrainian infrastructure since Russia's full-scale invasion. A wiper attack destroyed thousands of virtual servers and workstations, knocking out mobile and Internet service for roughly 24 million subscribers and cascading into air-raid alerts, banking and payments.
What happened
According to Ukraine's SBU security service, Sandworm operatives had been inside Kyivstar's network since at least May 2023, likely entering through a compromised employee account. By November they had achieved full access to the company's IT infrastructure, giving them months of reconnaissance before striking.
On 12 December the attackers detonated a large-scale wiper, erasing "almost everything" β thousands of virtual servers and personal computers across Kyivstar's core systems. The destruction was so comprehensive that Kyivstar had to rebuild much of its IT environment from backups, a process that kept services down for days.
Impact
- ~24 million subscribers lost mobile voice, SMS and Internet connectivity; for many, service was unavailable for several days.
- The outage disrupted air-raid warning systems in some areas, ATM and card-payment networks, and retail point-of-sale terminals, as people queued to buy rival SIM cards.
- Mobile and Internet services were largely restored by 20 December, about a week after the attack.
- Kyivstar's parent, VEON, reported the incident did not breach subscriber personal data, but the operational and financial impact ran into the tens of millions of dollars.
Attribution
Ukrainian authorities attributed the attack to Sandworm, the cyber-sabotage unit of Russia's military intelligence (GRU Unit 74455). The pro-Russian hacktivist group Solntsepyok claimed responsibility, but the SBU assessed it as a front for Sandworm. Ukraine announced it was gathering evidence to potentially prosecute those responsible as war crimes at international tribunals, given the attack's impact on civilian emergency-warning systems.
Why it matters
The Kyivstar attack demonstrated that telecommunications networks are prime wartime targets: disabling a single carrier rippled into emergency alerts, finance and daily life for millions. It underscored the danger of long-dwell intrusions β months of undetected access enabling a single, catastrophic destructive event β and the strategic value adversaries place on civilian connectivity. Western agencies treated it as a warning that similar destructive operations could be turned against telecom providers beyond Ukraine.
Timeline
Sandworm operatives gain access to Kyivstar's network, likely via a compromised employee account, and dwell undetected for months.
Attackers achieve full access to the operator's infrastructure, positioning for a destructive strike.
A large-scale wiper attack erases thousands of virtual servers and PCs, taking mobile and Internet service offline for ~24 million subscribers.
Air-raid alert systems, ATMs, card payments and some retail point-of-sale terminals are disrupted as the outage cascades.
Kyivstar substantially restores mobile and Internet services after about a week of recovery.
Sources
- en.wikipedia.orghttps://en.wikipedia.org/wiki/2023_Kyivstar_cyberattack
- bankinfosecurity.comhttps://www.bankinfosecurity.com/russian-sandworm-group-snooped-kyivstar-networks-for-months-a-24027
- therecord.mediahttps://therecord.media/kyivstar-cyberattack-war-crimes-prosecution-ukraine
- cyberscoop.comhttps://cyberscoop.com/russia-ukraine-kyivstar-vitiuk/
- theregister.comhttps://www.theregister.com/2024/01/05/sandworm_kyivstar_hack/