Leader of Ukrainian Hacking Group: GRU Bribed Kyivstar Employee to Hack Company’s Network

Russian military intelligence gained access to Kyivstar’s network through a pre-recruited agent within the company.

This was stated by Yevhen Karpyuk, the leader of the 4bid hacker group (who describes himself as a cybersecurity specialist), in an interview titled “A Candid Interview with a ‘Grey’ Hacker,” published on the “LUNKOVA” YouTube channel.

An attack of this scale was unlikely to be the result of an exclusively external hack.

“The GRU [ed.: referring to the Main Directorate of the General Staff of the Russian Armed Forces, abbr. MD GS] didn’t hack Kyivstar; it simply bought a Kyivstar employee,” Karpyuk explained the cyberattack on the operator.

Russian intelligence services could have spent years “cultivating a mole”— a person who, over time, gained the necessary level of access to the operator’s critical infrastructure, after which this access was transferred to representatives of the GRU.

The technical aspect of the attack itself was not particularly complex, and its devastating consequences were due precisely to the depth of the access obtained.

Yevhen Karpyuk bases this assessment on a conversation with a Kyivstar employee who held a senior position at the company. Under normal circumstances, restoring network operations could have taken about a week.

This refers to a large-scale attack on Kyivstar’s infrastructure on December 12, 2023, which caused a failure of mobile communications and the internet across Ukraine.

The Security Service of Ukraine later reported that the attack was carried out by the Sandworm hacker group, linked to the GRU.

The investigation established the involvement of hackers from military unit 74455, which specializes in cyberattacks against critical infrastructure.

Earlier, Reuters, citing Ilya Vityuk, head of the SSU’s cybersecurity department, reported that Russian hackers may have been in the operator’s systems since at least May 2023.

In 2020, officers from military unit 74455 were accused of cyberattacks using the NotPetya and Blackout-3 viruses against Ukrainian energy companies; specifically, they were accused of causing power outages in the Ivano-Frankivsk region.

The attack on Kyivstar was one of the largest cyberattacks on Ukraine’s civilian telecommunications infrastructure during the full-scale war.

The SSU recently established regional cyber centers to protect critical infrastructure.