Evidence of Russian Cyber Operations Could Bolster New ICC Arrest Warrants
Published by The Lawfare Institute
in Cooperation With
Last March, the International Criminal Court (ICC) issued arrest warrants for Russian President Vladimir Putin and Maria Lvova-Belova for the deportation and unlawful transfer of Ukrainian children. Last week, nearly a year later, the court issued two more arrest warrants resulting from the Office of the Prosecutor’s investigation into the “situation in Ukraine.” Both warrants concern Russian attacks against Ukraine’s power plants and substations that occurred between October 2022 and March 2023, in the depth of winter. The decision to prioritize crimes against civilian objects over atrocities like the torture and killing of civilians in Bucha and Mariupol is notable, as it recognizes the direct, grave, and lasting harm caused to the civilian population by the destruction of critical energy infrastructure.
The charges alleged against Sergei Ivanovich Kobylash, a lieutenant general in the Russian Armed Forces, and Viktor Nikolayevich Sokolov, an admiral in the Russian Navy, include three crimes under the Rome Statute: (a) the war crime of directing attacks at civilian objects, (b) the war crime of causing excessive incidental harm to civilians or damage to civilian objects, and (c) the crime against humanity of inhumane acts. The war crime of directing attacks against civilian objects has been traditionally hard to prove, since it requires evidence of the perpetrator’s knowledge and intent, which often must be inferred from actions in the midst of battle. The destruction of civilian objects alone is insufficient to make such an inference, since suspects can always proffer the defense that the damaged structure was not the intended target. However, as cyber operations are increasingly used to enable military actions, new forms of digital data could provide valuable insights into the state of mind behind such targeting.
While the ICC’s press release specifies that the suspects are responsible for missile strikes carried out by the forces under Kobylash and Sokolov’s command, this characterization does not preclude the prosecutor from introducing evidence of other types of attacks on the electric grid, such as cyberattacks that were carried out by other parts of the Russian military in coordination with this missile campaign. In light of the prosecutor’s recent pronouncement that his office will investigate cyber-enabled international crimes under the Rome Statute, these cases might offer the first opportunity for submitting evidence of military cyber operations in an ICC trial. In fact, evidence of Russia’s cyberattacks on Ukraine’s power infrastructure could provide important context and help the prosecutor establish elements of the charged crimes, specifically the intent to target civilian objects. Moreover, evidence of Russian cyber operations could demonstrate that the missile attacks on power plants were not isolated or random incidents, but were part of a broader military policy—one of the elements that must be established for the charge of a crime against humanity.
For over a decade, Russia has employed hybrid tactics in its aggression against Ukraine, combining cyber and information operations with traditional kinetic force, and directing both types of attacks toward civilian infrastructure. As Russia expert Gavin Wilde explains:
This strategy is consistent with Moscow’s long-standing views about information’s supposed coercive potential. For instance, current members of the Russian General Staff have long claimed that cyber and information warfare must be designed not only to neutralize enemy military networks, but also to degrade the adversary’s morale, cultural values, and very way of life.
In addition to its well-articulated policy to degrade political and popular will through military and nonmilitary methods, Russian practice over the years strongly suggests that civilian objects have been intentional, direct targets and not simply collateral damage. Since Russia’s initial occupation of Crimea in 2014, over which the ICC has been granted jurisdiction, the Russian military has deployed significant cyber capabilities against Ukraine, executing several effects-based cyber operations on the energy grid that could amount to war crimes. Two meaningful incidents occurred before Russia’s full-scale invasion of Ukraine in February 2022.
First, on Dec. 23, 2015, a group within Russian military intelligence, GRU Unit 74455 (more colloquially known as Sandworm), disrupted power distribution to a regional electric grid servicing customers in the Ivano-Frankivsk Oblast of western Ukraine. The power outage lasted for several hours, depriving almost a quarter million civilians of heat and other essential services in the middle of winter with near-freezing temperatures. At the time of the attack, the power grid was civilian in its nature, function, and purpose, and was located far from the frontlines in eastern Ukraine with no military objectives in the vicinity. The attack involved at least six months of reconnaissance by the perpetrators and infiltration of multiple civilian networks. The malware used in the attack, which was coded to target specific Ukrainian industrial control systems, and the specific techniques employed, such as spear-phishing emails tailored to power plant staff, reveal the perpetrators’ knowledge of the civilian nature of the object and clear intent to target it. This level of planning and preparation proves that the attack was not a mistake or miscalculation.
Nearly a year later, on Dec. 17, 2016, the same perpetrators disrupted power distribution to an electrical substation operated by the energy company Ukrenergo, causing power loss to residential areas across Kyiv and surrounding neighborhoods. The power grid serviced more than 3 million customers, who were left without electricity and heating in the middle of winter. The perpetrators infiltrated the substation, gained access to the industrial control system, and directed malware later dubbed “Industroyer” toward the industrial hardware. The sophisticated and custom-built Industroyer disrupted the supply of electricity to Kyiv until it was manually restored a short while later. However, according to the cybersecurity firm Dragos, “by timing a transmission outage with both a loss of control and loss of view attack and disabling protective relays on impacted circuits,” the attack aimed for a far more significant and enduring effect, which would have lasted days instead of hours if operators had not been able to manually override the system. As with the earlier attack, the perpetrators gained unauthorized access, spending several months conducting reconnaissance, gathering information, and exfiltrating data—and thus leaving no confusion around the fact that the intended target was a civilian object.
Leading up to the launch of the full-scale invasion on Feb. 24, 2022, Russian cyber actors were active and aggressive with operations against a broad array of government and military targets. However, as revealed in a report by Ukraine’s State Service of Special Communications and Information Protection (SSSCIP), the main goal of Russian hackers changed after the beginning of the war. Over the course of the conflict, Russian cyberattacks were directed less toward military targets and more toward civilian utilities. While cyberattacks were initially directed at “communications that were supposed to limit the functionality of the military and the authorities in Ukraine,” after Russia’s early failures on the front, the Russian military “concentrated on inflicting maximum damage on the civilian population.” Attacks on energy infrastructure serve as a concrete example of the Russian military’s shift in strategy to target and punish the civilian population.
In April 2022, GRU Unit 74455 deployed a new version of Industroyer to attack the Ukrainian energy company Vinnytsia Oblenergo in west-central Ukraine. Luckily, the malware was identified before the preconfigured time, enabling the Computer Emergency Response Team of Ukraine (CERT-UA) to thwart parts of the attack and mitigate the damage. While the precise extent of the damage is unknown, Ukrainian officials confirmed that the attack managed to disrupt services to some of the company’s 770,000 customers and estimated that up to 2 million people could have been left without electricity if the attack had not been mitigated. The method and means of the attack reflect the perpetrators’ intent to target the Vinnytsia power grid. Researchers at Mandiant observed that the “detailed nature” of the perpetrators’ targeting likely required “reconnaissance” as well as “a robust understanding of the protocol and knowledge of the victim environment.” The SSSCIP later reported on the attack, stating that it was “well thought out both in terms of time and in terms of objects. After all, it was during the cooling period that the first massive attacks on the energy infrastructure took place in order to put additional pressure on the civilian population, which adapts to inconveniences much worse than the military.”
Following Ukraine’s counteroffensives in fall 2022, Russia launched a new campaign against Ukrainian civilian infrastructure, launching a barrage of missiles on Oct. 10, 2022. This campaign appears to be the focus of the ICC’s newly issued arrest warrants. These missile strikes were accompanied by cyberattacks on the energy sector. According to a Microsoft report, the perpetrators deployed CaddyWiper and FoxBlade wipers “to destroy data from networks of organizations involved in power generation.” In October and November, as temperatures in Ukraine dropped, Russia’s destructive cyberattacks against Ukrainian critical networks spiked, amping up its campaign of using large-scale missiles to attack energy infrastructure. On Nov. 24, 2022, Russian missile strikes hit Ukraine’s energy facilities while cyberattacks were deployed to “cause a maximum Blackout,” according to the Security Service of Ukraine (SBU). After this period of sustained cyber and kinetic attacks against power stations, the SBU released another report detailing how cyberattacks coordinated with conventional attacks are consistent with Russia’s overall military strategy.
If these new suspects are arrested, they might argue that the civilian objects were not the targets of the attack but, rather, collateral damage. However, with the introduction of evidence of Russian military doctrine articulating its use of hybrid cyber and kinetic attacks on civilian infrastructure to degrade political will and demoralize the population and its well-documented practice of doing just that, this defense is likely to fail.
The selection of these cases and charges indicate that the ICC prosecutor believes that the harm to civilians caused by the destruction of energy infrastructure is sufficiently grave and that the targeting of energy infrastructure is not random but, rather, part of a broader policy that is emblematic of Russian military tactics in this conflict. Importantly, the prosecutor’s office already has strong evidence to support these charges. While we do not know what evidence has been submitted to support the warrants, Russia’s well-documented history of targeting civilian populations through cyber-means to degrade morale will unquestionably strengthen the prosecutor’s case.