THE HAGUE/LONDON, June 14 (Reuters) – Prosecutors at the International Criminal Court are investigating alleged Russian cyberattacks on Ukrainian civilian infrastructure as possible war crimes, four sources familiar with the case have told Reuters.
It is the first confirmation that attacks in cyberspace are being investigated by international prosecutors, which could lead to arrest warrants if enough evidence is gathered.
The probe is examining attacks on infrastructure that endangered lives by disrupting power and water supplies, cutting connections to emergency responders or knocking out mobile data services that transmit air raid warnings, one official said.
Advertisement · Scroll to continue
ICC prosecutors are working alongside Ukrainian teams to investigate “cyberattacks committed from the beginning of the full-scale invasion” in February 2022, said the official, who declined to be named because the probe is not finished.
Two other sources close to the ICC prosecutor’s office confirmed they were looking into cyberattacks in Ukraine and said they could go back as far as 2015, the year after Russia’s seizure and unilateral annexation of the Crimean Peninsula from Ukraine.
Advertisement · Scroll to continue
Moscow has previously denied that it carries out cyberattacks, and officials have cast such accusations as attempts to incite anti-Russian sentiment.
Ukraine is collecting evidence to support the ICC prosecutor’s investigation.
The ICC prosecutor’s office declined to comment on Friday, but has previously said it has jurisdiction to investigate cybercrimes. It has also said it cannot comment on matters related to ongoing investigations.
RUSSIANS ACCUSED OF CRIMES AGAINST HUMANITY
The court has issued four arrest warrants against senior Russian suspects since the beginning of the invasion. These include President Vladimir Putin, suspected of a war crime over the deportation of Ukrainian children to Russia.
Russia, which is not a member of the ICC, dismissed that decision as “null and void”. Ukraine is also not a member, but has granted the ICC jurisdiction to prosecute crimes committed on its territory.
In April, a pre-trial chamber issued arrest warrants alleging that two Russian commanders had committed crimes against humanity with strikes against civilian infrastructure. The Russian defence ministry did not respond to a request for comment at the time.
At least four major attacks on energy infrastructure are being examined, two sources with knowledge of the investigation told Reuters.
A senior source said one group of Russian hackers in the ICC’s crosshairs is known in cybersecurity research circles as “Sandworm”, and is believed by Ukrainian officials and cyber experts to be linked to Russian military intelligence.
A team at the Human Rights Center, UC Berkeley School of Law, has been investigating Sandworm’s cyberattacks targeting Ukrainian civilian infrastructure since 2021, and made confidential submissions to the ICC in 2022 and 2023 identifying five cyberattacks it said could be charged as war crimes.
Sandworm is suspected of a string of high-profile attacks, including a successful 2015 attack on a power grid in western Ukraine – one of the first of its kind, according to cybersecurity researchers.
A group of activist hackers calling themselves “Solntsepyok” (“hot spot”) claimed responsibility for a major attack on the Ukrainian mobile telecommunications provider Kyivstar last Dec. 12. Ukrainian security services identified that group as a front for Sandworm.
Sandworm is also believed by Kyiv to have carried out extensive cyberespionage against Western governments on behalf of Russia’s intelligence agencies.
CAN A CYBERATTACK BE A WAR CRIME?
Cyberattacks that target industrial control systems, the technology that underpins much of the world’s industrial infrastructure, are rare, but Russia is one of a small club of nations that possess the means to do so, the cybersecurity researchers said.
The ICC case, which could set a precedent for international law, is being closely followed.
The body of international law covering armed conflict, enshrined in the Geneva Conventions, bans attacks on civilian objects, but there is no universally accepted definition of what constitutes a cyber war crime.
Legal scholars in 2017 drafted a handbook called the Tallinn Manual on the application of international law to cyberwarfare and cyber operations.
But experts interviewed by Reuters say it is unclear whether data itself can be considered the “object” of an attack banned under international humanitarian law, and whether its destruction, which could be devastating for civilians, can be a war crime.
“If the court takes on this issue, that would create great clarity for us,” said Professor Michael Schmitt of the University of Reading, who leads the Tallinn Manual process.
Schmitt believes that the hack of Kyivstar, owned by the Dutch company Veon, meets the criteria to be defined as a war crime.
“You always look at the foreseeable consequences of your operation. And, you know, that was a foreseeable consequence that placed human beings at risk.”
Ukraine’s intelligence agency said it had provided details of the incident to ICC investigators in The Hague. Kyivstar said it was analysing the attack in partnership with international suppliers and the SBU, Ukraine’s intelligence agency.
Get the latest news and expert analysis about the state of the global economy with Reuters Econ World. Sign up here.
Reporting by Anthony Deutsch and Stephanie van den Berg in The Hague, Tom Balmforth in Kyiv and James Pearson in London; Editing by Mike Collett-White and Kevin Liffey
Our Standards: The Thomson Reuters Trust Principles.
Reports on hacks, leaks and digital espionage in Europe. Ten years at Reuters with previous postings in Hanoi as Bureau Chief and Seoul as Korea Correspondent. Author of ‘North Korea Confidential’, a book about daily life in North Korea.