{
	"id": "d2d056f2-c838-46c2-91d4-fbf8a2b2ffa7",
	"created_at": "2026-04-06T00:09:14.336027Z",
	"updated_at": "2026-04-10T03:30:30.36747Z",
	"deleted_at": null,
	"sha1_hash": "220026fa32914fa0950b2b4a160342aae341d6d9",
	"title": "Russian hackers wiped thousands of systems in KyivStar attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2860641,
	"plain_text": "Russian hackers wiped thousands of systems in KyivStar attack\r\nBy Sergiu Gatlan\r\nPublished: 2024-01-04 · Archived: 2026-04-05 16:44:46 UTC\r\nThe Russian hackers behind a December breach of Kyivstar, Ukraine's largest telecommunications service provider, have\r\nwiped all systems on the telecom operator's core network.\r\nFollowing the incident, Kyivstar's mobile and data services went down, leaving most of its 25 million mobile and home\r\ninternet subscribers without an internet connection.\r\nIllia Vitiuk, the head of the Security Service of Ukraine's (SSU) cybersecurity department, told Reuters in an interview that\r\nthe threat actors breached Kyivstar's network in May 2023.\r\nhttps://www.bleepingcomputer.com/news/security/russian-hackers-wiped-thousands-of-systems-in-kyivstar-attack/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/russian-hackers-wiped-thousands-of-systems-in-kyivstar-attack/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThey launched the attack months later, wiping thousands of virtual servers and computers and \"completely\" destroying \"the\r\ncore\" of the telecoms operator.\r\n\"For now, we can say securely, that they were in the system at least since May 2023. I cannot say right now, since what time\r\nthey had ... full access: probably at least since November,\" he said.\r\n\"After a large-scale break, we prevented a number of attempts to cause even more damage to the operator,\" Vitiuk added in a\r\nstatement published on Thursday SSU's website.\r\n\"Currently, the cyber specialists of the Security Service are already researching individual samples of malware used by the\r\nenemy. The attack was carefully prepared for many months.\"\r\nThe cyberattack had a considerable impact on the country's civilian population, yet it notably did not significantly disrupt\r\nmilitary communications. Vitiuk said that this is because of Ukraine's Defense Forces employing different algorithms and\r\ncommunication protocols.\r\nBreached by Sandworm military hackers\r\nFollowing the incident, Kyivstar's CEO and the SSU suggested that Russian hackers may have been involved, given the\r\nongoing conflict between Ukraine and Russia.\r\nOne day later, the attack was claimed by Russian hackers from the Solntsepek group (believed to be linked to the Sandworm\r\nRussian military hacking group). They said they wiped 10,000 computers and thousands of servers on Kyivstar's network.\r\n\"We, the Solntsepek hackers, take full responsibility for the cyber attack on Kyivstar. We destroyed 10 thousand computers,\r\nmore than 4 thousand servers, all cloud storage and backup systems,\" the group said in a Telegram post.\r\n\"We attacked Kyivstar because the company provides communications to the Armed Forces of Ukraine, as well as\r\ngovernment agencies and law enforcement agencies of Ukraine.\"\r\nToday, Vityuk confirmed that Sandworm was behind the December attack on Kyivstar, saying that this Russian military\r\nintelligence unit carried out other cyberattacks targeting Ukrainian targets, \"in particular [..] telecom operators and ISPs.\"\r\nAn October report from Ukraine's Computer Emergency Response Team (CERT-UA) revealed that Russian Sandworm\r\nhackers breached the networks of 11 Ukrainian telecom service providers since May 2023.\r\nThis has led to service interruptions after the hackers deployed scripts during the final stages of the attacks to wipe Mikrotik\r\nequipment and backups to make recovery more challenging.\r\nhttps://www.bleepingcomputer.com/news/security/russian-hackers-wiped-thousands-of-systems-in-kyivstar-attack/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/russian-hackers-wiped-thousands-of-systems-in-kyivstar-attack/\r\nhttps://www.bleepingcomputer.com/news/security/russian-hackers-wiped-thousands-of-systems-in-kyivstar-attack/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/russian-hackers-wiped-thousands-of-systems-in-kyivstar-attack/"
	],
	"report_names": [
		"russian-hackers-wiped-thousands-of-systems-in-kyivstar-attack"
	],
	"threat_actors": [
		{
			"id": "2b45a355-6d1d-44d8-8bc3-20c17e30757d",
			"created_at": "2023-12-21T02:00:06.092349Z",
			"updated_at": "2026-04-10T02:00:03.501337Z",
			"deleted_at": null,
			"main_name": "Solntsepek",
			"aliases": [],
			"source_name": "MISPGALAXY:Solntsepek",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7bd810cb-d674-4763-86eb-2cc182d24ea0",
			"created_at": "2022-10-25T16:07:24.1537Z",
			"updated_at": "2026-04-10T02:00:04.883793Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"APT 44",
				"ATK 14",
				"BE2",
				"Blue Echidna",
				"CTG-7263",
				"FROZENBARENTS",
				"G0034",
				"Grey Tornado",
				"IRIDIUM",
				"Iron Viking",
				"Quedagh",
				"Razing Ursa",
				"Sandworm",
				"Sandworm Team",
				"Seashell Blizzard",
				"TEMP.Noble",
				"UAC-0082",
				"UAC-0113",
				"UAC-0125",
				"UAC-0133",
				"Voodoo Bear"
			],
			"source_name": "ETDA:Sandworm Team",
			"tools": [
				"AWFULSHRED",
				"ArguePatch",
				"BIASBOAT",
				"Black Energy",
				"BlackEnergy",
				"CaddyWiper",
				"Colibri Loader",
				"Cyclops Blink",
				"CyclopsBlink",
				"DCRat",
				"DarkCrystal RAT",
				"Fobushell",
				"GOSSIPFLOW",
				"Gcat",
				"IcyWell",
				"Industroyer2",
				"JaguarBlade",
				"JuicyPotato",
				"Kapeka",
				"KillDisk.NCX",
				"LOADGRIP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"ORCSHRED",
				"P.A.S.",
				"PassKillDisk",
				"Pitvotnacci",
				"PsList",
				"QUEUESEED",
				"RansomBoggs",
				"RottenPotato",
				"SOLOSHRED",
				"SwiftSlicer",
				"VPNFilter",
				"Warzone",
				"Warzone RAT",
				"Weevly"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434154,
	"ts_updated_at": 1775791830,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/220026fa32914fa0950b2b4a160342aae341d6d9.pdf",
		"text": "https://archive.orkl.eu/220026fa32914fa0950b2b4a160342aae341d6d9.txt",
		"img": "https://archive.orkl.eu/220026fa32914fa0950b2b4a160342aae341d6d9.jpg"
	}
}