Russian military hackers have been lurking in the network of Kyivstar, one of Ukraine’s three biggest telecom operators, since at least May 2023, according to Illia Vitiuk, head of the Security Service of Ukraine's (SBU) cybersecurity department.

Kyivstar suffered a massive hacker attack on December 12, 2023, which crippled its services across the country, leaving millions of people unable to use mobile services and home internet. The attack also caused issues with air raid alerts and impacted some PoS terminals and ATMs of PrivatBank, one of the largest banks in Ukraine, that use Kyivstar’s network.

The company’s CEO, Oleksandr Komarov, said at the time that the attackers were able to infiltrate the network through a compromised employee account.

Now, Ukraine's cyber spy chief has disclosed additional details about the intrusion. According to Illia Vitiuk, the goal of the attack was to deal a psychological blow and gather intelligence.

The attack wiped “almost everything”, Vitiuk told Reuters in an interview, including thousands of virtual servers and PCs. He noted that it was probably the first example of a destructive cyberattack that “completely destroyed the core of a telecoms operator.”

The investigation revealed that the intruders attempted to penetrate Kyivstar in March or earlier and probably have had full access to the infrastructure since November last year.

The agency assessed that the hackers would have been able to steal personal information, understand the locations of phones, intercept SMS-messages and perhaps steal Telegram accounts with the level of access they gained.

A Kyivstar spokesperson said the company was working closely with the SBU to investigate the attack and that “no facts of leakage of personal and subscriber data have been revealed.”

According to Vitiuk, the hackers made several subsequent attempts to breach Kyivstar and cause more damage to the operator. Vitiuk also added that the attack had not impacted Ukraine's military, as it doesn’t rely on telecoms operators and utilizes “different algorithms and protocols.”

The attack is believed to have been carried out by Sandworm, a well-known Russian hacking group associated with Russia’s GRU military intelligence agency, which has been relentlessly targeting Ukraine, including its energy sector, since the beginning of the Russian invasion with multiple data-wiping malware.

Vitiuk revealed that Sandworm targeted a Ukrainian telecoms operator in another attack, but it was uncovered because the SBU had itself been inside Russian systems. The earlier hack has not been previously reported, Reuters noted.

The investigation into the attack is still ongoing, Vitiuk said, with experts working to determine the intrusion method and what malware was used. If it was an inside job, the insider who helped the hackers did not have a high level of clearance in the company, as the hackers made use of malware used to steal hashes of passwords, SBU’s cybersecurity chief said.