A hacking group believed by Kyiv to be affiliated with Russian military intelligence claimed responsibility on Wednesday for a cyberattack that knocked Ukraine’s biggest mobile network operator offline.
Tuesday’s attack on Kyivstar, which has 24.3 million mobile subscribers and more than 1.1 million home internet users, knocked out services, damaged IT infrastructure, and silenced air raid alert systems in some parts of Ukraine.
A group of activist hackers, or “hacktivists,” called Solntsepyok said in a post on the Telegram messaging app that it carried out the cyberattack, and published screenshots appearing to show that the hackers had accessed Kyivstar’s servers.
Russia has repeatedly denied being behind such cyberattacks.
Ukraine’s State Service of Special Communications and Information Protectorate (SSSCIP) said in a statement it was investigating the incident with the SBU domestic intelligence agency.
“Responsibility for the cyberattack was taken by one of the Russian groups whose activities are associated with the main directorate of the General Staff of the Armed Forces of the Russian Federation,” it said, referring to Russia’s GRU military intelligence agency.
“This once again confirms Russia’s use of cyberspace as one of the domains of the war against Ukraine,” it said, without naming the group that has claimed responsibility.
Earlier this year, the SSSCIP identified Solntsepyok as a front for a Russian hacking group dubbed “Sandworm” which has been previously linked to the GRU.
It was not immediately possible to contact the GRU for comment.
In its Telegram post announcing the hack, Solntsepyok thanked unidentified “concerned colleagues” at Kyivstar. The SBU said on Tuesday that it had opened a treason case following the cyberattack.
“We attacked Kyivstar because the company provides communications to the Ukrainian Armed Forces, as well as state bodies and Ukraine’s security forces,” that post said.
“To the other offices helping the Ukrainian Armed Forces: be prepared!”
On Tuesday, a source close to Kyivstar told Reuters that military communications had not been affected by the attack.
Sandworm has been tracked by cybersecurity researchers as one of Russia’s most powerful hacking groups, responsible for cyberattacks against Ukraine’s energy sector.
“They regularly launder their operations through paper thin hacktivist personas,” said John Hultquist, who heads threat analysis at Google’s Mandiant Intelligence.
“Sandworm is Moscow’s weapon of choice for cyberattacks. No other actor comes close in terms of the imminent threat they pose to critical infrastructure in Ukraine,” he added.
In response to a request for comment from Reuters, a representative of Solntsepyok confirmed it had carried out the attack and referred to the internal Kyivstar documents posted to the groups’ Telegram channel.
The representative did not respond to further requests for comment, including whether Solntsepyok was connected to the GRU.
Tuesday’s digital blitz was one of the biggest cyberattacks since Russia’s full-scale invasion of the country in February 2022. Such attacks which cause widespread and tangible damage are rare and require techniques so sophisticated that they are usually the domain of state intelligence agencies.
In its Telegram post, Solntsepyok said it destroyed more than 10,000 computers and 4,000 servers in the attack against Kyivstar, including its cloud storage and backup systems.
Kyivstar dismissed those claims as “fake” in a post on X, formerly known as Twitter. Kyivstar was in the process of restoring some of its services on Wednesday, its CEO said.