Prosecutors at the International Criminal Court are investigating alleged Russian cyberattacks on Ukrainian civilian infrastructure as possible war crimes, four sources familiar with the case have told Reuters.
It is the first confirmation that attacks in cyberspace are being investigated by international prosecutors, which could lead to arrest warrants if enough evidence is gathered.
The probe is examining attacks on infrastructure that endangered lives by disrupting power and water supplies, cutting connections to emergency responders or knocking out mobile data services that transmit air raid warnings, one official said.
ICC prosecutors are working alongside Ukrainian teams to investigate “cyberattacks committed from the beginning of the full-scale invasion” in February 2022, said the official, who declined to be named because the probe is not finished.
Two other sources close to the ICC prosecutor’s office confirmed they were looking into cyberattacks in Ukraine and said they could go back as far as 2015, the year after Russia’s seizure and unilateral annexation of the Crimean Peninsula from Ukraine.
Moscow has previously denied that it carries out cyberattacks, and officials have cast such accusations as attempts to incite anti-Russian sentiment.
Ukraine is collecting evidence to support the ICC prosecutor’s investigation.
The ICC prosecutor’s office declined to comment on Friday, but has previously said it has jurisdiction to investigate cybercrimes. It has also said it cannot comment on matters related to ongoing investigations.
The court has issued four arrest warrants against senior Russian suspects since the beginning of the invasion. These include President Vladimir Putin, suspected of a war crime over the deportation of Ukrainian children to Russia.
Russia, which is not a member of the ICC, dismissed that decision as “null and void”. Ukraine is also not a member, but has granted the ICC jurisdiction to prosecute crimes committed on its territory.
In April, a pre-trial chamber issued arrest warrants alleging that two Russian commanders had committed crimes against humanity with strikes against civilian infrastructure. The Russian defence ministry did not respond to a request for comment at the time.
At least four major attacks on energy infrastructure are being examined, two sources with knowledge of the investigation told Reuters.
A senior source said one group of Russian hackers in the ICC’s crosshairs is known in cybersecurity research circles as “Sandworm” and is believed by Ukrainian officials and cyber experts to be linked to Russian military intelligence.
The group is suspected of a string of high-profile cyberattacks, including the successful 2015 attack on a power grid in western Ukraine – one of the first of its kind, according to cybersecurity researchers.
A group of activist hackers calling themselves “Solntsepyok” (“hot spot”) claimed responsibility for a major attack on the Ukrainian mobile telecommunications provider Kyivstar last December 12. Ukrainian security services identified that group as a front for Sandworm.
Sandworm is also believed by Kyiv to have carried out extensive cyberespionage against Western governments on behalf of Russia’s intelligence agencies.
Can a cyberattack be a war crime?
Cyberattacks that target industrial control systems, the technology that underpins much of the world’s industrial infrastructure, are rare, but Russia is one of a small club of nations that possess the means to do so, the cybersecurity researchers said.
The ICC case, which could set a precedent for international law, is being closely followed.
The body of international law covering armed conflict, enshrined in the Geneva Conventions, bans attacks on civilian objects, but there is no universally accepted definition of what constitutes a cyber war crime.
Legal scholars in 2017 drafted a handbook called the Tallinn Manual on the application of international law to cyberwarfare and cyber operations.
But experts interviewed by Reuters say it is unclear whether data itself can be considered the “object” of an attack banned under international humanitarian law, and whether its destruction, which could be devastating for civilians, can be a war crime.
“If the court takes on this issue, that would create great clarity for us,” said Professor Michael Schmitt of the University of Reading, who leads the Tallinn Manual process.
Schmitt believes that the hack of Kyivstar, owned by the Dutch company Veon, meets the criteria to be defined as a war crime.
“You always look at the foreseeable consequences of your operation. And, you know, that was a foreseeable consequence that placed human beings at risk.”
Ukraine’s intelligence agency said it had provided details of the incident to ICC investigators in The Hague. Kyivstar said it was analysing the attack in partnership with international suppliers and the SBU, Ukraine’s intelligence agency.