{ "id": "6e137b51-2efa-4f74-a3d9-f445dd13fd46", "created_at": "2026-04-06T00:06:14.977387Z", "updated_at": "2026-04-10T03:37:09.114862Z", "deleted_at": null, "sha1_hash": "12c8a3d15ca4e4b7e76dcf00c0ec50b4cb59903c", "title": "CEO of Ukraine's largest telecom operator describes Russian cyberattack that wiped thousands of computers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 229262, "plain_text": "CEO of Ukraine's largest telecom operator describes Russian\r\ncyberattack that wiped thousands of computers\r\nBy Daryna Antoniuk\r\nPublished: 2024-02-09 · Archived: 2026-04-05 20:41:50 UTC\r\nIn the two months since Russia-linked hackers attacked Ukraine’s largest telecom operator, many questions have\r\nemerged about how they gained access to the company's systems and lingered there, likely for months, undetected.\r\nDuring a cybersecurity conference in Kyiv this week, Kyivstar CEO Oleksandr Komarov shed some light on what\r\nhappened during the attack that left nearly 24 million customers in Ukraine without a mobile signal and internet\r\nfor days.\r\nResponding to a question from Recorded Future News about how the hackers gained initial access to Kyivstar\r\nsystems, Komarov said that they likely compromised an employee account and then spent some time gaining\r\naccess to other accounts, which eventually led them to those with administrative privileges. Then, they gained\r\ncontrol over Active Directory — a centralized database that stores information about network resources and the\r\ndirectory's structure — \"and could do whatever they wanted from there.\"\r\nThe head of the cybersecurity department at Ukraine’s security service (SBU), Illia Vitiuk, told Recorded Future\r\nNews during the conference that it’s unlikely that the attack on Kyivstar originated from within the company — a\r\npossibility considered in the days following the attack.\r\n\"There isn't sufficient evidence to suggest that the network was compromised from the inside. We’ve seen how\r\nhackers navigated through the network, escalating their privileges. If they had an insider, it could have been done\r\nmuch more quickly,\" Vitiuk said.\r\nAccording to him, the investigation into the incident is still ongoing and will \"continue for a long time\" because\r\nhackers “destroyed hundreds of Kyivstar servers and wiped thousands of computers, making it difficult to trace\r\ntheir movement through the network.\"\r\nhttps://therecord.media/kyivstar-ceo-on-russian-cyberattack-telecom\r\nPage 1 of 4\n\nKyivstar CEO\r\nOleksandr Komarov. Image: Kyiv International Cyber Resilience Forum/Facebook\r\n\"Now what's more important for us is not just how they initially gained access to the network, but how they\r\nmanaged to navigate it, circumventing substantial security measures at Kyivstar,\" he added.\r\nAccording to Vitiuk, the hackers attempted to penetrate Kyivstar in March 2023 or earlier, managed to get into the\r\nsystem at least as early as May, and likely gained full access to the network in November.\r\nAs for why they remained undetected for months, Komarov said that the group used a zero-day wiper malware,\r\nwhich Kyivstar's protection systems couldn't identify.\r\nThe hackers, previously attributed by the SBU to the Russian state-controlled threat group Sandworm, which\r\noverlaps with Seashell Blizzard and UAC-0082, planned to attack Kyivstar in two waves — targeting virtual and\r\nphysical infrastructure, Komarov said.\r\nWhile they succeeded in wiping out the virtual servers, their attempt to cause damage to physical equipment\r\nfailed.\r\nThere are several reasons why the attack on physical infrastructure was thwarted, according to Komarov: the\r\ncompany swiftly responded to the incident and disconnected the equipment; a conflict arose between the two\r\nattacks, with one hindering the development of the other; and the group did not consider the diversity of vendors\r\nserving Kyivstar's physical infrastructure.\r\nIf the second wave of the attack succeeded, it could have damaged nearly 100,000 of Kyivstar’s base transceiver\r\nstations that linked mobile devices to the operator’s network. Given that they can only be fixed manually, Kyivstar\r\nwould have needed months to restore communication, according to Komarov.\r\nLessons learned\r\nhttps://therecord.media/kyivstar-ceo-on-russian-cyberattack-telecom\r\nPage 2 of 4\n\nKomarov called the attack on Kyivstar \"a meticulously planned military operation that lasted several months.\"\r\nHowever, he dismissed the idea that the company was ill-prepared for Russian cyberattacks, stating that Ukrainian\r\ntelecom operators have faced continuous cyber threats since the beginning of the war.\r\n“Kyivstar worked according to the best international standards — we invested millions of dollars in cybersecurity,\r\nand we have 50 people working in our cyber protection team,” he said.\r\nHowever, amid the ongoing cyber war, critical infrastructure companies are more susceptible to attacks, especially\r\nwhen dealing with sophisticated threat actors controlled by Russian intelligence.\r\nAnother factor exposing Kyivstar to cyberattacks is the architecture of the telecom operator’s systems. \"And this\r\nisn't a mistake on Kyivstar's part; it's an industrial approach,\" Komarov said.\r\nAccording to him, the company’s infrastructure is too centralized, making it easier for hackers to navigate.\r\nKomarov said that the company plans to restructure its systems and make them more segmented — when the\r\nnetwork is divided into distinct zones, each with its own set of controls, access permissions, and security\r\nmeasures.\r\n“We had segmentation in place before, but now we're looking to implement micro-segmentation. The aim is to\r\nensure that, while securing the external perimeter, we establish multiple internal perimeters to prevent unrestricted\r\nmovement between systems — similar to an airport, where entry is allowed only after passing through multiple\r\nsecurity checks,” Komarov told Recorded Future News.\r\nhttps://therecord.media/kyivstar-ceo-on-russian-cyberattack-telecom\r\nPage 3 of 4\n\nDaryna Antoniuk\r\nis a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in\r\nEastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for\r\nForbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.\r\nSource: https://therecord.media/kyivstar-ceo-on-russian-cyberattack-telecom\r\nhttps://therecord.media/kyivstar-ceo-on-russian-cyberattack-telecom\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/kyivstar-ceo-on-russian-cyberattack-telecom" ], "report_names": [ "kyivstar-ceo-on-russian-cyberattack-telecom" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775433974, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/12c8a3d15ca4e4b7e76dcf00c0ec50b4cb59903c.pdf", "text": "https://archive.orkl.eu/12c8a3d15ca4e4b7e76dcf00c0ec50b4cb59903c.txt", "img": "https://archive.orkl.eu/12c8a3d15ca4e4b7e76dcf00c0ec50b4cb59903c.jpg" } }