Over nearly a decade, the hacker group within Russia’s GRU military intelligence agency known as Sandworm has launched some of the most disruptive cyberattacks in history against Ukraine’s power grids, financial system, media, and government agencies. Signs now point to that same usual suspect being responsible for sabotaging a major mobile provider for the country, cutting off communications for millions, and even temporarily sabotaging the air raid warning system in the capital of Kyiv.
On Tuesday, a cyberattack hit Kyivstar, one of Ukraine’s largest mobile and internet providers. The details of how that attack was carried out remain far from clear. But it “resulted in essential services of the company’s technology network being blocked,” according to a statement posted by Ukraine’s Computer Emergency Response Team, or CERT-UA.
Kyivstar’s CEO Oleksandr Komarov told Ukrainian national television on Tuesday that the hacking incident “significantly damaged [Kyivstar’s] infrastructure, limited access; we could not counter it at the virtual level, so we shut down Kyivstar physically to limit the enemy’s access,” according to Reuters. “War is also happening in cyberspace. Unfortunately, we have been hit as a result of this war.”
The Ukrainian government hasn’t yet publicly attributed the cyberattack to any known hacker group—and nor have any cybersecurity companies or researchers. But on Tuesday, a Ukrainian official within its SSSCIP computer security agency, which oversees CERT-UA, pointed out in a message to reporters that a group known as “Solntsepek” had claimed credit for the attack in a Telegram post, and noted that the group has been linked to the notorious Sandworm unit of Russia’s GRU.
“We, the Solntsepek hackers, take full responsibility for the cyber attack on Kyivstar. We destroyed 10 thousand computers, more than 4 thousand servers, all cloud storage and backup systems,” reads the message in Russian, addressed to Ukrainian president Volodymyr Zelenskyy and posted to the group’s Telegram account. The message also includes screenshots that appear—but could not be verified—to show access to Kyivstar’s network. “We attacked Kyivstar because the company provides communications to the Ukrainian Armed Forces, as well as government agencies and law enforcement agencies of Ukraine. The rest of the offices helping the Armed Forces of Ukraine, get ready!”
Solntsepek has previously been used as a front for the hacker group Sandworm, the Moscow-based Unit 74455 of Russia’s GRU, says John Hultquist, the head of threat intelligence at Google-owned cybersecurity firm Mandiant and a longtime tracker of the group. He declined, however, to say in which network intrusions Solntsepek has been linked to Sandworm in the past, suggesting that some of those intrusions may not yet be public. “It’s a group that has claimed credit for incidents we know were carried out by Sandworm,” Hultquist says, adding that Solntsepek’s Telegram post bolsters his previous suspicions that Sandworm was responsible. “Given their consistent focus on this type of activity, it’s hard to be surprised that another major disruption is linked to them.”