For roughly ten months, a Russian-aligned hacking group sat inside the networks of multiple Ukrainian telecommunications providers, watching traffic flow and collecting intelligence while no one noticed. Ukraine’s national cybersecurity authority, CERT-UA, publicly named the group in late May 2026, designating it GREYVIBE and tying it to a sustained intrusion campaign that began in August 2025. The disclosure, published in an official agency bulletin, marks one of the longest-running telecom compromises attributed to a state-aligned actor since Russia’s full-scale invasion began in 2022.
What CERT-UA found
CERT-UA operates under Ukraine’s State Service of Special Communications and Information Protection and serves as the country’s primary computer emergency response team. The agency has a documented track record of publicly attributing cyber operations to Russian military and intelligence-linked groups, including Sandworm and APT28. Its findings carry the weight of official government material.
In this case, CERT-UA described GREYVIBE as a Russia-aligned group that incorporates AI into its operations, though the agency did not release technical details about how AI was used in the telecom intrusions specifically. What the bulletin did make clear is the operational pattern: GREYVIBE prioritized persistence over destruction. Rather than knocking services offline or stealing data in bulk, the group built durable, hidden footholds across multiple operators and maintained them for months.
That kind of access inside a telecom network is extraordinarily valuable during wartime. Providers carry voice calls, text messages, and internet traffic for millions of subscribers. An intruder embedded at the right depth could harvest call metadata, map communication patterns among military units and government officials, track the physical movements of specific handsets, and potentially intercept unencrypted content. All of that intelligence feeds directly into battlefield targeting and covert operations.
Maintaining that access undetected for nearly a year across more than one operator also signals technical sophistication. It requires stealthy initial entry, resilient command-and-control channels, and the ability to survive routine patching and security audits. GREYVIBE apparently managed all three.
What is still unknown
CERT-UA did not name the specific telecom operators that were compromised. Ukraine’s mobile market is dominated by three major players: Kyivstar (owned by VEON), Vodafone Ukraine, and lifecell. Together they serve tens of millions of subscribers. Without knowing which providers were hit, it is impossible to gauge the full scale of exposure or determine whether the intrusions reached networks serving particular military districts or government agencies.
The timeline also has gaps. The bulletin states that access began in August 2025, but it does not specify whether all operators were breached at the same time or in sequence, or when each intrusion was finally discovered. Those details matter because dwell time directly determines how much intelligence an attacker can collect.
The AI dimension remains the least substantiated element. CERT-UA characterized GREYVIBE as a group that uses AI across its operations, but published no indicators of compromise, no malware samples, and no technical appendices describing AI-enabled tooling in connection with this campaign. Whether AI was applied to phishing, lateral movement, traffic analysis, or evasion is left unstated. That gap makes it difficult for defenders elsewhere to assess whether similar techniques might already be in play against their own infrastructure.
Cross-referencing is another open question. Threat intelligence firms such as Mandiant, Microsoft, and Recorded Future track Russian cyber actors under their own naming conventions. No public mapping between GREYVIBE and any commercially tracked cluster has been confirmed. Until that link is established, it is hard to connect this campaign to previously reported operations or build a fuller picture of the group’s history.
Why telecom intrusions hit differently
Telecom compromises occupy a unique category in cyber conflict because they combine espionage value with the potential for future disruption. The distinction matters. A group that has mapped a provider’s core routing infrastructure can, at a moment of its choosing, degrade or sever service to specific regions. That capability becomes a strategic weapon during an active war, where communications blackouts can isolate military units or sow civilian panic.
Ukraine has already experienced this firsthand. In December 2023, a cyberattack attributed to Russian military intelligence knocked Kyivstar, the country’s largest mobile operator, offline for days, disrupting service for roughly 24 million subscribers. That attack was loud and immediate. The GREYVIBE campaign represents the quieter, arguably more dangerous end of the spectrum: patient, invisible, and designed to extract maximum intelligence before anyone realizes something is wrong.
The pattern also echoes incidents outside Ukraine. The Salt Typhoon campaign, attributed to Chinese state-linked hackers, compromised major U.S. telecom providers in 2024 and 2025, exposing call records and wiretap systems. The operational logic is the same: telecom networks are high-value targets because they sit at the intersection of civilian life, government communication, and military coordination.
What defenders should take from this
For organizations connected to Ukrainian telecom infrastructure, the GREYVIBE case carries a blunt message: sophisticated state-aligned actors may already be inside your network, and they will not announce themselves with a service outage. Detection strategies built around spotting loud, disruptive attacks will miss this kind of adversary entirely.
CERT-UA’s disclosure, even without detailed indicators of compromise, gives defenders a reason to prioritize hunting for subtle anomalies: unusual administrative account activity, unexpected configuration changes, and traffic patterns that do not match normal baselines. It also reinforces the value of close coordination with national cyber authorities. When agencies like CERT-UA publish targeted alerts, those notices can help operators focus investigations that might otherwise never get started.
The broader lesson extends beyond Ukraine. Persistent, low-visibility access to telecom infrastructure is not a theoretical risk. It is an active, documented tactic used by state-aligned groups on multiple continents. The question for every telecom operator is not whether someone would try, but whether they would notice if someone already had.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
