As part of the wider drive to hold Russia accountable for alleged atrocities in Ukraine, the war-torn nation is also petitioning the International Criminal Court (ICC) to legally consider specific types of cyberattacks as war crimes.
“I hope for Nuremberg Two,” says Victor Zhora, Chief Digital Transformation Officer at the State Service of Special Communications and Information Protection of Ukraine. “Starting from Putin [and defense minister Sergei] Shoigu, and ending with these cybercriminals who served the Russian government and participated in these illegal, destructive cyberattacks. I hope that these evil people will be accountable for crimes they committed in Ukraine, together with all those soldiers who raped women and children, as well as killed thousands of people in Mariupol, in many other Ukrainian cities.”
The words are strong, all the stronger for being delivered calmly by Zhora over a video as I talk to him about the part his organization is playing in bringing international law in line with hybrid warfare in the 21st century.
Digital attacks may not wreak as much havoc as tanks and guns, but cutting off the internet in a town that has just been shelled can increase the harm caused by conventional or kinetic assaults.
But to arrive at a historical repeat of the Nazi war crimes trials held in Nuremberg in 1947 after the Second World War, Zhora and his associates face a long haul. Cybernews spoke with him at length about what this journey might entail.
Obviously you're gathering evidence to submit to The Hague, and I appreciate you probably can't reveal full details, but give us an overview of the case you plan on bringing and tell me how confident you are of its success.
We are not a law enforcement or intelligence agency: we are a technical regulator and have more than 95 functions, and one of those is cyber protection. I supervise the team responsible for technical investigations and that means we receive reports on incidents and initiate response and remediation. We are tracking different threat actors: we have a lot of data attributed to these, as well as evidence of each cyber incident we investigate.
We don't directly interact with the ICC or any investigative or prosecutive organizations globally: all our activities will be directed through the General Prosecutor's Office [of Ukraine].
With regards to the potential prosecution of cyberwar crimes, we started promoting this new concept at the beginning of the war – since we are having the first global cyberwar – to attract interest to this new concept. There's a huge discussion in academia and research organizations. We will try our best to supply all stakeholders with rich and exhaustive evidence of these crimes.
"We found evidence that there was a breach of networks, leakage, and the capture of certain people - putting them to torture and so on, which are crimes in themselves."Victor Zhora, digital transformation officer at the State Service of Special Communications, Ukraine
I understand that there are three broad categories of cyber war crime that you would like to see defined by ICC law: cyberattacks on infrastructure, digital targeting of individuals for capture, torture, or execution, and disinformation campaigns. Can you give me any specific examples of recent cases?
I will describe them generally without attribution to any particular case. All these types of incidents can be considered as cyberwar crimes, in our opinion. These attacks are executed in a time of war, and act as supportive attacks to military actions, to kinetic attacks, and can be used to impact our civilian infrastructure.
With regards to targeting, we found evidence that there was a breach of networks, [followed by data] leakage, and the capture of certain people – putting them to torture and so on, which are crimes in themselves. This can be enriched with our evidence of intelligence operations executed through cyberspace, used as preparation for war crimes.
Regarding disinformation, we think that in some cases they were cyberattacks which aimed to amplify the psychological effect of kinetic attacks. These happened in several regions of Ukraine, in Odessa and other regions directly after or simultaneously to missile strikes. There were some false messages sowing of propaganda aimed to scare wider audiences in connection with these kinetic attacks.
And is it your hope that these three categories you've just outlined will be adopted by the ICC as laws that address each of them specifically?
We just started our discussions with academia and people who can help us align these with the legal process. We proposed this through groups of incidents to be considered. We have examples for each of these groups: resources of local authorities like websites attacked and defaced, or, for instance, ISPs to some areas shelled by missiles [that] were [cyber]attacked, leaving a lot of people without access to the internet.
If the ICC considers these cases as coordinated, as part of a single operation, these have great chances to be considered war crimes. Attacks on critical civilian infrastructure, for instance, on Ukrainian power grids, leaving millions of people without power: that is equal to leaving them without power after shelling. That's what happens almost every week in Ukraine.
There are groups of people who are willing to support us in backing this new concept to be used in prosecutions. I hope that together we'll come to an understanding, so I'm quite optimistic.
"I hope for Nuremberg Two, starting from Putin and ending with these cybercriminals who served the Russian government and participated in these illegal, destructive cyber attacks."Zhora
But even if this does come to pass, what are the chances of any of the culprits ever being brought to justice? Is this more about the principle of the thing, or are you hopeful that one day you will see people behind bars?
We are. We can compare it to cases of Sandworm or Armageddon [hacking] groups. In the first case, US officials named six GRU officers as being responsible for attacks against US and Ukrainian infrastructure. The SBU, Secret Service of Ukraine, did the same with regards to Armageddon group: former SBU officers who now serve at FSB Crimea.
We should at least do our part to name them, to bring enough proof and evidence, and then wait for an occasion when we can make these culprits accountable. I hope for Nuremberg Two, starting from Putin, Shoigu, and ending with these cybercriminals who served the Russian government and participated in these illegal, destructive cyber attacks. I hope that these evil people will be accountable for the crimes they committed in Ukraine, together with all those soldiers who raped women, children, killed thousands of people in Mariupol, and many other Ukrainian cities.
"We know at least four official organizations in Russia responsible for offensive cyber: the GRU, the FSB, the SVR, and the Ministry of Defense's scientific and research institutions. And there is competition between them."Zhora
Open-source intelligence experts have said that disinformation campaigns operate on two levels. You have the obvious state-run media, but on top of that, you have quasi-independent groups that could be buzzing under the radar: they're given some leeway by the Russian government and allowed to dissent on certain specific issues, but essentially mostly follow the Kremlin narrative. So in a way they create a sort of illusion of dissent. Do you think these types of threat actors would be particularly hard to define in law?
With regards to Russia's cyber activities, it's easy to prove that 99.9% are coordinated from different centers. We know at least four official organizations in Russia responsible for offensive cyber: the GRU, the FSB, the SVR, and the Ministry of Defense’s scientific and research institutions. And there is competition between them.
But for the vast majority of offensive operations or any cyber activities, there is an official responsible who gave the orders. Even for cybercriminal gangs engaged in these activities, hacktivists who gather in the Telegram channels, there is evidence of the presence of GRU or FSB officers in these groups. And the role of these officers is to coordinate, or identify targets, and engage more people with these groups. It's organized activity from the Russian government, spread over different organizations with different skills.
That kind of information could be beneficial in terms of proof – if you have this evidence, you can link these supposedly dissident groups back to the Kremlin…
We can link them, this is easy. Russian media, including [seemingly] independent media, are dependent or funded, or totally state-owned. I don't believe in independent Russian media, even those who seem to be independent. I don't believe in independent cyber professionals who remained in Russia.
Do you worry that there could be an escalation in terms of international diplomacy if the ICC adopts these measures? The US is talking a lot about China now, saying it's the number-one global cyber enemy – what if it starts using new laws to go after its perceived chief rival?
I think these changes will be global if they happen. But thankfully, the world still has no conflict with China – I mean war conflict. I don't think this will scale up in China’s case. Moreover, I'm not sure that China's state-associated actors are responsible for any disruptive attacks. They still focus on cyber espionage and intelligence. Of course, this can change because of certain circumstances, but it is still going in this direction.
It's definitely easier to deal with the Russian cases because they have motives that can be easily proved and confirmed. Over the last eight years, prior to the full-scale invasion, the nature of cyber operations was stealthy, covert. Now it's changed: they attack openly from Novosibirsk, Yekaterinburg, and St Petersburg. And perhaps it is because they understand they're guilty of much more severe crimes: now it's a win-or-lose situation.
More from Cybernews:
Subscribe to our newsletter