Kyivstar Disputes SBU Claims: No Evidence of Months-Long Hacker Access Found, Company States

Ukraine’s largest mobile operator Kyivstar has publicly contested statements made by the Security Service of Ukraine (SBU) regarding the scope and duration of the December 2023 cyberattack that crippled the nation’s telecommunications infrastructure. In a significant development that highlights potential disagreements between corporate and government assessments of the incident, the company has firmly denied that hackers maintained prolonged access to its systems, contradicting earlier intelligence agency claims that suggested adversaries had infiltrated the network for months before launching their devastating attack.

The telecommunications giant, which serves approximately 24 million subscribers across Ukraine, emphasized that its internal investigation found no evidence supporting the SBU’s assertion that Russian-linked hackers had embedded themselves within Kyivstar’s infrastructure for an extended period prior to the attack. Company representatives stated categorically that no facts indicating the leakage of subscriber personal data were discovered during the comprehensive forensic examination of affected systems. This statement carries significant weight given the sensitive nature of telecommunications data, which includes call records, location information, and personal identification details of millions of Ukrainian citizens.

The December 2023 cyberattack on Kyivstar represented one of the most significant assaults on civilian infrastructure since Russia’s full-scale invasion began in February 2022. The attack rendered mobile and internet services unavailable for millions of Ukrainians for several days, disrupting not only personal communications but also critical services including air raid alert systems, banking operations, and point-of-sale terminals across the country. The incident demonstrated the vulnerability of essential civilian infrastructure during wartime and raised serious questions about cybersecurity preparedness in the telecommunications sector.

The SBU had previously attributed the attack to the Russian military intelligence hacking group known as Sandworm, a unit within the GRU that has been responsible for numerous high-profile cyberattacks globally, including the NotPetya malware outbreak in 2017 that caused billions of dollars in damage worldwide. According to the intelligence agency’s earlier statements, the hackers had gained access to Kyivstar’s systems several months before executing the destructive phase of their operation, allowing them to map the network architecture and identify critical vulnerabilities. This claim, now disputed by Kyivstar, suggested a sophisticated, patient approach typical of state-sponsored advanced persistent threat actors.

The discrepancy between governmental and corporate assessments of cyberattacks is not unprecedented in the cybersecurity field. Organizations often have differing methodologies for investigating breaches, and the fog of cyber warfare can make definitive attribution and timeline reconstruction extremely challenging. Technical forensics teams may reach different conclusions based on available evidence, preservation of logs, and analytical approaches. Furthermore, corporations may have reputational and legal incentives to minimize the perceived scope of security incidents, while intelligence agencies might emphasize worst-case scenarios for strategic communication purposes.

Kyivstar’s parent company, VEON, a multinational telecommunications conglomerate headquartered in Amsterdam, invested heavily in restoration efforts following the attack. The company reportedly spent significant resources rebuilding affected infrastructure and implementing enhanced security measures to prevent future incidents. Industry experts note that modern telecommunications networks are extraordinarily complex, with thousands of interconnected systems that can provide numerous potential entry points for sophisticated attackers. The restoration of services within several days, while impressive from an operational standpoint, does not necessarily provide clarity on how long adversaries may have had access prior to revealing their presence.

The debate over the attack’s timeline and scope has implications beyond corporate reputation. Understanding how long attackers maintained access is crucial for assessing what intelligence they may have gathered during their presence within the network. If hackers did indeed have months of undetected access, they could potentially have collected vast amounts of sensitive data about Ukrainian citizens, including government officials, military personnel, and their communication patterns. Conversely, if Kyivstar’s assessment is accurate and access was limited, the damage to national security may be less severe than initially feared.

As Ukraine continues to defend against both kinetic and cyber warfare, the Kyivstar incident serves as a stark reminder of the critical importance of robust cybersecurity measures in protecting civilian infrastructure. The Ukrainian government has significantly expanded its cyber defense capabilities since 2022, working closely with Western partners and private sector experts to strengthen resilience against Russian attacks. However, the ongoing disagreement between the SBU and Kyivstar over the basic facts of this major incident underscores the challenges of achieving complete transparency and consensus in the aftermath of sophisticated cyberattacks, even among allies working toward the same defensive goals.