.png)
Date: 08/01/2024
Where: Ukraine, Russia
Who’s involved:
Ukraine: BLACKJACK hacktivist group, SSU operators
Russia: Solntsepyok hacktivist group, GRU “Sandworm” operators
Kyivstar Telecommunications
Rosvodokanal Water
What happened:
On 12/12/2023, a “hybrid” cyber-exchange between Ukraine and Russia significantly impacted critical infrastructure in both countries. The Russian hacktivist entity, Solntsepyok, allegedly assisted by GRU cyberwarfare unit, Sandworm, targeted Ukraine’s largest mobile communications provider, Kyivstar.
Both sides utilized a “frontline” of civilian volunteers while having support from offensive intelligence services.
Solntsepyok claimed responsibility through a 13/12/2023 post on the Telegram messaging app, accompanied by screenshots purporting to show their penetration into Kyivstar's servers.
The attack cut off over 24 million Ukrainians’ internet access for several days. In some localities, this meant no banking access or payment card services.
Ukraine’s SBU investigation found the hackers probably attempted to penetrate Kyivstar in March and had a way into the telecommunications provider’s network since at least May.
Kyivstar's CEO, Oleksandr Komarov, said on 20/12/2023 that all the company's services had been fully restored throughout the country.
During this time period, water utilities in parts of Russia started suffering from their own similar service outages.
It was revealed on 20/12/2023, that a pro-Ukrainian threat actor BLACKJACK, with alleged help from agents of Ukraine’s Security Service, had attacked Rosvodokanal, the largest private water company in Russia providing water to over 7 million Russian citizens, in retaliation for the attack on Kyivstar.
Analysis:
This exchange is remarkable for both the impact of the cyber attack on critical infrastructure, and the tactics utilized. This is one of the most public uses of both civilian and military assets within a cyber operation.
The method of the attack on Kyivstar was through a compromised employee account, a significant detail, as it indicates potential for either an insider threat or possible social engineering attempts. More details will need to be revealed.
The swift response from BLACKJACK is indicative of both an incredibly skilled operation, and either intelligence or direct access provided by Ukrainian intelligence.
Solntsepyok, while ostensibly a hacktivist organization working for Russian interests similar to groups like KillNet and Anonymous Sudan, has been tied to units of the Russian GRU before. Ukrainian authorities have accused the group of effectively being a deniability screen for Sandworm.
BLACKJACK is a pro-Ukrainian threat actor that specializes in data theft and wiping. The attack against Rosvodokanal impacted over 6000 devices in a critical sector, and allegedly provided 1.5 terabytes of data to Ukrainian authorities for analysis.
The attack by BLACKJACK on Rosvodokanal was particularly extensive, resulting in the erasure of over 50 terabytes of data.
Conclusion:
The involvement of both state-sponsored units like GRU's Sandworm and non-state hacktivist groups like Solntsepyok and BLACKJACK in these cyber exchanges highlights a blurring line between state and non-state actors in cyber warfare.
The method of attack on Kyivstar through a compromised employee account underscores the critical need for robust insider threat management programs. Security professionals must focus not only on external threats but also on potential vulnerabilities from within their organizations, including rigorous employee vetting, continuous monitoring, and comprehensive security awareness training.
The attacks on both Kyivstar and Rosvodokanal demonstrate that critical infrastructure sectors are prime targets in cyber warfare with the intention capability to cause significant disruptions to civilians. This calls for heightened security measures in such sectors, including regular security audits, adoption of robust cybersecurity frameworks, and emergency response planning.