Sign in / up

back to article Sandworm's Kyivstar attack should serve as a reminder of the Kremlin crew's 'global reach'

Russia's Sandworm crew appear to have been responsible for knocking out mobile and internet services to about 24 million users in Ukraine last month with an attack on telco giant Kyivstar. The criminals lurked in the telco's systems for at least six months leading up to the attack, then wiped "almost everything," according to …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Khaptain Silver badge

    User data leakage ?

    "no facts of leakage of personal and subscriber data have been revealed.""

    I would consider that losing all access to telecommunications and/or the Internet to be a far more serious event compared to simply having my details revealed. I really wouldn't like to lose access to all comms during a war/invasion.

    5 1 Reply
    1. Whitter
      Reply Icon

      Re: User data leakage ?

      At least nobody believes the company exec line, as indicated by "I am very concerned that Ukraine's counter offensive was monitored in real time and troop locations were exposed to facilitate drone strikes"

      While we've all become accustomed to nonsense being spouted from exec's about data breaches, I wonder if Ukraine will accept such glibness in their current wartime scenario?

      1 0 Reply
      1. Jellied Eel Silver badge
        Reply Icon

        Re: User data leakage ?

        At least nobody believes the company exec line, as indicated by "I am very concerned that Ukraine's counter offensive was monitored in real time and troop locations were exposed to facilitate drone strikes"

        I think that's more likely bad OPSEC and PERSEC. This has been a selfie-war with troops using their 'smart' phones to upload to social media. Here's a warcrime, don't forget to like, comment and subscribe. Azov even has it's own publicity unit that stages heroic action clips that rarely show any incoming fire, but get a lot of views and are monetised. Russia meanwhile apparently doesn't let it's soldiers carry mobile phones routinely because it's probably aware that they're beacons that can be visible from space, or highly visible and triangulated by electronic warfare on the ground. Most NATO forces know this, so Ukraine should have known that carrying transmitters is a very bad idea. Especially when those transmitters are in treelines where you'd not normally expect RF.

        If Russia had managed to get subscriber data, it would have been fairly trivial to track individuals by IMEI/IMSI, build contact webs and strike at clusters of mobiles. This conflict has shown just how hard it is to conceal yourself on a modern battlefield. There's videos from both Russia and Ukraine showing drones tracking 'civilian' vehicles to and from artillery positions, then locating and striking the ammo and resupply hubs.

        5 7 Reply
  2. froggreatest

    not enough talent

    It is very difficult to understand what methods were used in the attack to gain such wide access. But more mitigations could have been applied long before. Nonetheless part of the problem is that telcos are not the ones offering a top dollar for the engineering talent, not to mention that a country is at war and rely on their internal capacity. Security is not just an expense anymore and more pros should be present in such companies.

    5 0 Reply
    1. Jellied Eel Silver badge
      Reply Icon

      Re: not enough talent

      Security is not just an expense anymore and more pros should be present in such companies.

      They probably are, but the challenge might be identifying them. Kyivstar's owned by a 'Russian' company after all and it's probable that interested nations like Russia would have placed agents inside Vimpe, Veon and Kyivstar. Insider threats are always the hardest to defend against.

      6 2 Reply

      1. This post has been deleted by its author

      2. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: not enough talent

        @Jellied_Eel

        Quote: "Security is not just an expense anymore and more pros should be present in such companies."

        So....security is JUST ABOUT companies............................

        What about actual citizens? You know, people who need secure credit cards, secure bank accounts, secure medical records....

        Yup...I know....big megabuck companies get MUCH more sympathy than thousands of citizens who are wide open on the interweb!!!

        1 0 Reply
        1. Jellied Eel Silver badge
          Reply Icon

          Re: not enough talent

          So....security is JUST ABOUT companies...

          Nope, it's about concentration of risk, and how to mitigate those...

          What about actual citizens? You know, people who need secure credit cards, secure bank accounts, secure medical records....

          ... because the impacts can be huge. So Optus had a bad day a short while ago and it's network went down as well. All the stuff dependent on Optus and Kyivstar had a bad day. In Ukraine, that may have lead to people being targetted, or just denied alerts from their air defence network. Because people know there's value in attacking some companies, they'll do it for extortion, lolz, or because there's a war on. Where there's a concentration of risk, governments may decide it's critical infrastructure and impose requirements, like vetting staff in key roles. But that doesn't always work, eg Snowden, Manning etc.

          Those are the hardest to defend against, ie staff need access to systems, so there has to be a level of trust. Both Snowden and Manning had high levels of trust, but abused it. That's hard to predict, although there is stuff like MICE (Money, Ideology, Conscience or Ego). That may have played a part in Kyivstar, ie an insider disagreeing with Kiev, or sympathetic to Russia and decided (or was persuaded) to help, as well as all the external threats from hackers.

          So then it's about taking a holistic approach to security. A lot of companies don't do that very well, ie lack of internall firewalls or security devices. But that gets expensive, ie designing a system that can monitor critical systems for tampering. Or having strong change control processes to check and approve changes, or just let neteng's alter BGP configs on core devices and the inevitable happens. The attack on Kyivstar looks like it happened over quite a while, so how internal audit processes and systems may have prevented that. Which is an expensive, and often people-heavy process, ie accessing subscriber info is necessary for X staff, copying a million subscribers info to a USB device is something to be concerned about.

          So how do you mitigate those risks? Especially when there may be conflicting legislation. So workplace surveillance is a complex subject, failure to secure personal data is perhaps less complex and the consequences expensive in financial and reputational concerns. Vetting staff might be compulsory, if aspects of the business are classified, but can be imperfect, or conflict with legislation. Kyivstar could have dismissed 'Russian' or 'pro-Russian' staff. but that's discriminatory, even if it may improve security. Sometimes it may not be possible to properly vet staff anyway. In the US, Orgeon passed gun control legislation that required an FBI background check. FBI pointed out that that's probably illegal.

          So it's a wicked problem to solve, but it doesn't mean that businesses shouldn't be doing a lot better.

          2 2 Reply
          1. Anonymous Coward
            Reply Icon
            Anonymous Coward

            JE spreading confusion... again

            > So Optus had a bad day a short while ago and it's network went down as well.

            The reason why Optus had some downtine are pretty well understood in the Telecom industry, and beyond.

            As a subsidiary of Singtel, Optus is connected to Singtel's Internet Exchange (known as STiX). STiX underwent a software upgrade on one of its routers at 1am SGT on 8 November 2023. As already planned, Optus IPX Traffic was rerouted to other StiX PoP during the upgrade, that lasted 20mn. Although the upgrade went successfully and Optus reconnected to their usual STiX PoP, then Optus was flooded with reconfiguration requests. Which triggered failsafe isolation procedures (this is why Singtel point their finger at the safety procedure and not their upgrade). This has nothing to do with an attack such as the one that Kyivstar just experienced (and recovered from). Notably pro-Russian Jellied Eel is spreading confusion here again.

            Kyivstar network was compromised at least since May 2023 by Sandworm, and, as perfectly well reported by Jessica in her article, the intent of the attackers was a total wipe out of Kyivstar's IT and network. This is a major security event. As far as I know, unprecedented and has nothing to do with operations mishap.

            1 2 Reply
            1. Jellied Eel Silver badge
              Reply Icon

              Re: JE spreading confusion... again

              This has nothing to do with an attack such as the one that Kyivstar just experienced (and recovered from). Notably pro-Russian Jellied Eel is spreading confusion here again.

              I am not the Bbc, it is not my job to spread misinformation. I work in the telecoms industry, and I've seen events like Optus happen before. That was an avoidable operations error that took Optus offline.

              Optus was flooded with reconfiguration requests. Which triggered failsafe isolation procedures

              So BGP'd itself to death, the 'failsafe' procedure turned out to be rather unsafe given it crippled a fair chunk of Australias internal and external connectivity, and the rest is history. Hopefully Optus has now reviewed that procedure so it can't be used by attackers to shut Australia down again.

              I deliberately chose them as an example of the way good security can mitigate against intentional or unintentional attacks given they can have the same outcome.

              Notably pro-Russian Jellied Eel

              I've said it before, and I'll say it again, I'm actually pro-peace and democracy. Unlike you, it seems.

              3 3 Reply
              1. Anonymous Coward
                Reply Icon
                Anonymous Coward

                Re: JE spreading confusion... again

                > I work in the telecom industry,

                So do I, and I often catch you misinformed and spreading misconception. Like in the following citation:

                > Hopefully Optus has now reviewed that procedure so it can't be used by attackers to shut Australia down again.

                Attackers had nothing to do with it.

                > So BGP'd itself to death, the 'failsafe' procedure turned out to be rather unsafe

                No. Failsafe exist for a reason. Also, default CISCO thresholds values were configured. Cloudflare recorded nearly one million BGP route announcements originating from the Optus network at the time against less than 3,000 typical.

                > I'm actually pro-peace and democracy

                Supporting Putin and claiming to be pro-democracy. Nice final JE.

                1 1 Reply
                1. Jellied Eel Silver badge
                  Reply Icon

                  Re: AC spreading confusion... again

                  No. Failsafe exist for a reason. Also, default CISCO thresholds values were configured. Cloudflare recorded nearly one million BGP route announcements originating from the Optus network at the time against less than 3,000 typical.

                  Oh dear. Defaults for anything are always the safest option, right? But I really hope you're not a net eng. Or blindly trust Cisco. But a bit of a clue for you-

                  router bgp 300

                  no synchronization

                  bgp router-id 10.0.0.2

                  bgp log-neighbor-changes

                  neighbor 10.0.0.1 remote-as 200

                  neighbor 10.0.0.1 ebgp-multihop 2

                  neighbor 10.0.0.1 update-source Loopback0

                  neighbor 10.0.0.1 version 4

                  neighbor 10.0.0.1 maximum-prefix 1000000 80

                  All good, right? See also-

                  https://www.cidr-report.org/as2.0/

                  And you do know the Singapore Internet Exchange is SGIX, and STiX is Singtel's wholesale IP transit service.. don't you? So Singtel's router, being the neighbor would have (and I've worked with their netengs before) had a rather.. saner max prefix limit, so if/when a neighbor decides 'Hey, I'm going to redist the entire Internet!', they don't have to buy everyone beers at the next APNIC event.

                  But basically the RFO wasn't what you said it was, isn't really relevant to this discussion other than how clueless people spread misinformation, and ops errors can take down networks just as effectively as attackers can.

                  1 3 Reply
  3. Anonymous Coward
    Anonymous Coward

    Putin probably asked his republican chums

    For the Cisco backdoor to Kyivstar's routers.

    2 5 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Putin probably asked his republican chums

      Also Netcracker is a Russian equipment and BSS vendor working closely with VimpleCom on many of its subsidiaries. Including in Kyivstar. So you don't need to attack from the outside when you already have access as a vendor.

      0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like