Ukraine Arrests ‘Hacker’ It Says Was Routing Calls for Russian Troops

The Security Service of Ukraine (SSU) says it has detained a “hacker” who was providing technical assistance to Russian troops in Ukraine by routing phone calls on their behalf, and who also sent text messages to Ukrainian security forces suggesting they surrender. In short, the hacker appeared to be leveraging Ukrainian phone networks to facilitate Russian military communications.

The news provides a look at the sort of technical operations that are underpinning parts of the invasion, and comes as Russian troops have faced multiple issues around communications, including being unable to use their own established secure communications network.

“I think it’s significant, it adds a bit of depth to the question as to why the Ukrainian mobile networks are still up—they still have some utility to Russian forces,” Cathal McDaid, CTO at cybersecurity firm AdaptiveMobile, told Motherboard in an online chat. McDaid added that the Ukrainian’s defensive measures have made it harder for Russian troops to communicate effectively.

In an announcement posted to the SSU’s official Facebook and Telegram accounts, the SSU wrote that “[SSU] detained a hacker who provided the occupiers mobile connection in Ukraine.” The announcement claims that this hacker helped facilitate thousands of calls in just one day. 

Specifically, the announcement said that the hacker helped Russia make anonymous phone calls to invaders based in Ukraine; passed commands and instructions to groups of Russian troops; and sent text messages to “Ukrainian security officers and civil servants with proposals to surrender and side with the occupiers,” according to a translation of the announcement.

The SSU also shared a number of photos allegedly of the hacker sitting in handcuffs alongside their equipment. They include a Windows PC with gaming keyboard and mouse, and a spread of telecommunications-related devices.

Earlier on in the invasion, Ukrainian telecommunications operators blocked phones with Russian and Belarusian numbers from connecting to their networks. In response, Russian troops began to steal phones from ordinary Ukrainian civilians, the Interfax news service reported at the start of the month.

“Something like this, to this extent, has never been done,” McDaid said of Ukraine’s defensive moves on its telecommunications networks. The use of at least one hacker like the one in the released images is a consequence of what Ukraine has effectively forced Russia to do, “because of the literally unprecedented and effective security moves the Ukrainian mobile operators have made,” McDaid added.

The images include a white laptop sized device known as a SIM box, which can be used to relay voice calls and text messages. Because Russian numbers won’t work in the country, a hacker could use such a device to control multiple different SIM cards at once, either bought locally or sourced from other countries, and facilitate communication that way.

“So they use a SIM box, which received the phone call over IP, and then transmits it over the mobile network to the Russian commanders (who presumably have a phone with a Ukrainian or foreign SIM),” McDaid said. “That's a lot of work in order to get a phone call.”

And, it’s not particularly secure. “Military forces should NEVER use SIMBox for comms. Large scale broadcasts, or spam, I understand, but not for communications. But the fact they are having to use these systems is that they have been 'hemmed in' by the Ukrainians to less and less secure systems.”

Ukrainian intelligence have been able to intercept calls between Russian officials because of their use of less secure systems. Earlier this month Ukrainian authorities intercepted, and then publicly released, a call between what they said were two FSB officers which revealed that a Russian general had been killed in combat.

“Can you get on a secure channel?” one of the officers asked in the call. “The secure doesn’t work here, we can’t get anyone,” was the reply.

In the latest announcement talking about the detained hacker, the SSU added “He will be held accountable for all the severity of the law. Because on it is the blood of tens or even hundreds of killed Ukrainians.”

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.