Russian hackers target Ukraine in search of war crime evidence against Kremlin

Updated on: 20 November 2023

Stefanie Schappert
Senior journalist

The Kremlin has launched a new spy campaign using nation-state hackers to target Ukrainian government agencies – all in an effort to collect evidence about alleged war crimes committed by the Russian Federation against the war-torn country, a new report says.

According to Ukraine's cyber defense chief Yuriy Shchyhol, the hackers are said to be working across Russia's foreign, domestic and military intelligence agencies.

"This shift, towards the courts, prosecutors and law enforcement units, shows that hackers are gathering evidence about Russian war crimes in Ukraine," Shchyhol said.

Shchyhol, head of the State Service of Special Communications and Information Protection of Ukraine (SSSCIP), said the Ukrainian Prosecutor General's office and other departments responsible for documenting and investigating war crimes are being targeted.

Details about the digital intrusion campaign, first obtained by Reuters News Agency, are from a new SSSCIP report set to be released by the cyber defense agency Monday.

"There's been a change in direction, from a focus on energy facilities towards law enforcement institutions which had previously not been targeted that often," Shchyhol told Reuters.

Yuriy Shchyho, head of Ukraine Cyber Defense — Yuriy Shchyhol, Head of the State Service of Special Communication and Information Protection of Ukraine (SSSCIP). September 22,, 2023. Image by Lyubysh-Kirdey | Reuters

The cyber defense agency has seen a 123% increase in cybersecurity incidents in the first half of 2023, compared to the second half of 2022, the report shows.

Besides searching for war crimes evidence, the hackers were also noted to be going after information regarding Russian nationals that have been arrested in Ukraine, with the goal of helping "these individuals avoid prosecution and move them back to Russia.”

Shchyhol said the attackers have been focused on trying to infiltrate the e-mail servers of several government bodies, without naming any units citing security purposes.

"The groups we've identified as being engaged in this activity are part of Russia's GRU and FSB intelligence agencies," Shchyhol said,

Kremlin-backed hackers expand reach

Just this week, the International Criminal Court (ICC) – responsible for prosecuting war crimes and crimes against humanity worldwide – announced it had “detected anomalous activity” in its systems last Friday.

The ICC has not disclosed who is responsible or if any information was accessed during the incident, but the Hague-based institution holds numerous categories of highly sensitive documents, including war crimes evidence and the names of protected witnesses.

The ICC had issued an arrest warrant this past spring for Russian President Vladimir Putin on suspicion of illegally deporting children from Ukraine.

Last June, the Dutch intelligence agency (AIVD) said it discovered a Russian military agent trying to infiltrate the ICC using a fake Brazilian identity. Moreover, the ICC has an additional open investigation against Russia for alleged atrocities in Georgia.

The Kremlin has denied all allegations.

Since the Russian invasion last spring, including during the lead-up, the Kremlin primarily focused its cyberattacks on state offices, media and communication outlets, energy sectors, and other critical infrastructure.

Russian state-sponsored collectives, including the notorious Sandworm threat group, have relentlessly targeted Ukraine’s energy sector by deploying at least half a dozen strains of wiper malware since the conflict began.

Other past Russian hacking campaigns have been seen targeting private security cameras within Ukraine to monitor the outcome of long-range missile and drone strikes, Shchyhol said.

"We have documented several attempts to gain access to video cameras near the facilities they attacked and to systems that provide information about the stability of the energy network," he said.

Last winter, Russian intelligence carried out attacks on Ukrainian energy infrastructure causing mass power outages for millions of citizens.

Shchyhol said he expected those attacks to happen again this winter.

"You need to understand that the cyber war will not end even after Ukraine wins on the battlefield," Shchyhol said.