For weeks, evidence piles up apparent war crimes by the Russian military in the midst of its brutal invasion of Ukraine: mass graves, bombed hospitals, even makeshift torture chambers. But amid these atrocities—and the drive to bring the perpetrators to justice—one group is making the counterintuitive case that another arm of the Russian military should be included in any international prosecution of war crimes: the Kremlin’s most destructive and dangerous hackers.
In late March, a group of human rights lawyers and investigators at UC Berkeley’s Center for Human Rights sent a formal request to the Office of the Prosecutor for the International Criminal Court (ICC) in The Hague. He is urging the International Criminal Court to consider prosecuting Russian hackers for war crimes for their cyberattacks in Ukraine — even as prosecutors gather evidence of more traditional, ongoing war crimes there. Specifically, the Human Rights Center’s International Criminal Investigation Team points in its detailed briefing on Sandworm, a notorious group of hackers within Russia’s GRU military intelligence agency, and to two of Sandworm’s most blatant acts of cyberwarfare: power outages, that these hackers caused by targeting electric companies in Western Ukraine in December 2015. and in the capital Kyiv a year later, affecting hundreds of thousands of civilians.
The Berkeley group’s paper was sent under a provision of the Rome Statute treaty that gives the ICC powers allowing recommendations from non-governmental organizations. It asked the ICC prosecutor, Karim Khan, “to expand the scope of his investigation to include the cyber domain in addition to the traditional domains of military operations – land, air, sea and space – given the Russian Federation’s history of hostile cyber activities in Ukraine.” The brief acknowledges that the Sandworm charges will constitute the first “cyber war crimes” case ever brought by the ICC. But he argued that the precedent would not only help seek justice for those who suffered from the Sandworm cyberattacks, but also deter future, potentially worse cyberattacks affecting critical civilian infrastructure around the world.
“In fact, in the absence of consequences or any meaningful accountability mechanisms, state-sponsored cyberattacks have escalated in the shadows,” reads the Center for Human Rights Article 15 document submitted to the ICC and shared with WIRED. “Investigating Russia’s hostile cyber operations would shed light on tactics few civilians know how to defend against.”
Lindsay Freeman, director of technology, law and policy at the Center for Human Rights, tells WIRED that the ICC’s prosecution has responded privately to the group, saying it has received and is considering the group’s recommendations. The ICC prosecutor’s office did not respond to WIRED’s request for comment.
Freeman argued that the ICC prosecutor’s office, which is investigating ongoing war crimes in Russia’s invasion of Ukraine – along with the governments of Ukraine, Poland and Lithuania and the European law enforcement agency – must prove that its jurisdiction includes cyber attacks that violate international arms laws conflicts. “We want to make sure that they see the cyber domain as an actual domain of war, because in this case, it really is,” Freeman says. She stresses that any cyber war crimes charges must be in addition to, not in lieu of, charges for the ongoing massacres, wanton killing of civilians and mass deportations in Ukraine. But she adds that “the only way you can properly investigate and understand this conflict is by looking not only at what’s going on in the physical world, but also what’s going on in cyberspace and information space, and that’s not something that that war crimes investigators have ever paid attention to.”
Since Russia’s last major incursion into Ukraine began in 2014, Russia has targeted the country with a long-running bombardment of cyberattacks of a kind never before seen in history. The GRU Sandworm hackers themselves attempted three blackouts in the country – at least two of which succeeded; destroy the networks of media, private companies and government agencies in targeted attacks; and in 2017 released the destructive, self-propagating malware NotPetya, which infected hundreds of organizations in Ukraine and eventually many more around the world, causing a record $10 billion in damage.
With the current, larger-scale invasion of Russia launched on February 24, state-sponsored Kremlin hackers have unleashed a sweeping new campaign of destructive hacking against hundreds of Ukrainian targets, often carefully coordinated with physical military tactics. This new barrage included one cyberattack in which GRU hackers targeted Viasat satellite systems, disrupting broadband connections in Ukraine and Europe, including those at thousands of wind turbines in Germany.