The Case for War Crimes Charges Against Russia’s Sandworm Hackers

Credit to Author: Andy Greenberg| Date: Thu, 12 May 2022 11:00:00 +0000

To revist this article, visit My Profile, then View saved stories.

To revist this article, visit My Profile, then View saved stories.

For weeks, evidence has been piling up of the Russian military's apparent war crimes in the midst of its brutal invasion of Ukraine: mass graves, bombed hospitals, even makeshift torture chambers. But amidst those atrocities—and the push to hold the perpetrators accountable—one group is making the counterintuitive case that another arm of the Russian military should be included in any international war crimes charges: the Kremlin's most disruptive and dangerous hackers.

In late March, a group of human rights lawyers and investigators in the Human Rights Center at UC Berkeley's School of Law sent a formal request to the Office of the Prosecutor for the International Criminal Court (ICC) in the Hague. It urges the ICC to consider war crime prosecutions of Russian hackers for their cyberattacks in Ukraine—even as the prosecutors gather evidence of more traditional, ongoing war crimes there. Specifically, the Human Rights Center's international criminal investigations team points in its detailed brief to Sandworm, a notorious group of hackers within Russia's GRU military intelligence agency, and to two of Sandworm's most egregious acts of cyberwarfare: blackouts that those hackers triggered by targeting electric utilities in Western Ukraine in December 2015 and in the capital, Kyiv, a year later, affecting hundreds of thousands of civilians.

“An investigation into Russia’s hostile cyber operations would shine a light on tactics against which few civilians know how to protect themselves.”

Berkeley Human Rights Center’s letter to the ICC

The Berkeley group's document was sent under a provision of the Rome Statute treaty, which gives the ICC its authority, allowing recommendations from nongovernmental organizations. It asks the ICC's prosecutor, Karim Khan, “to expand the scope of his investigation to include the cyber domain in addition to traditional domains of warfare–land, air, maritime, and space–given the Russian Federation’s history of hostile cyber activities in Ukraine.” The brief acknowledges that charges against Sandworm would represent the first case of “cyber war crimes” ever brought by the ICC. But it argues that precedent would help not only to seek justice for those harmed by Sandworm's cyberattacks, but also to deter future, potentially worse cyberattacks affecting critical civilian infrastructure around the world.

“In fact, in the absence of consequences or any mechanisms for meaningful accountability, State-sponsored cyberattacks have escalated in the shadows,” reads the Human Rights Center's Article 15 document sent to the ICC and shared with WIRED. “An investigation into Russia’s hostile cyber operations would shine a light on tactics against which few civilians know how to protect themselves.”

Lindsay Freeman, the director of technology, law, and policy at the Human Rights Center, tells WIRED the ICC prosecutor's office responded privately to the group, saying it had received and is considering the group's recommendations. The ICC prosecutor's office didn't respond to WIRED's request for comment.

Freeman argues that the ICC prosecutor's office, which has been investigating ongoing war crimes in Russia's Ukraine invasion—along with the governments of Ukraine, Poland, and Lithuania and the European law enforcement agency—needs to demonstrate that its remit includes cyberattacks that violate the international laws of armed conflict. “We would like to make sure they're seeing the cyber domain as an actual domain of warfare, because in this case, it truly is,” says Freeman. She emphasizes that any cyber war crime charges should be in addition to, not instead of, charges for the ongoing massacres, reckless killing of civilians, and mass deportations in Ukraine. But she adds that “the only way you can properly investigate and understand this conflict is through seeing not just what's happening in the physical world, but also what's happening in the cyber and information spaces, and this is not something war crimes investigators have ever paid attention to.”

Since Russia's last major invasion of Ukraine began in 2014, Russia has targeted the country with a years-long bombardment of cyberattacks of a kind never before seen in history. The GRU's Sandworm hackers alone have attempted three blackouts in the country—at least two of which succeeded; destroyed the networks of media outlets, private companies, and government agencies in targeted attacks; and in 2017 released the destructive, self-spreading NotPetya malware that infected hundreds of organizations across Ukraine and eventually many more around the world, causing a record-breaking $10 billion in damage.

With the current, larger-scale invasion Russia launched on February 24, the Kremlin's state-sponsored hackers have unleashed a broad new campaign of destructive hacking against hundreds of Ukrainian targets, often carefully coordinated with physical military tactics. That new barrage included one cyberattack in which GRU hackers targeted Viasat satellite systems, knocking out broadband connections across Ukraine and Europe, including those of thousands of wind turbines in Germany.

Freeman says that the UC Berkeley Human Rights Center's recommendations for war crime charges, which was sent to the ICC before some of the most recent cyberattacks fully came to light, single out Sandworm's two blackout attacks in 2015 and 2016 for legal and practical reasons: They've already been thoroughly investigated and pinned on Sandworm's hackers through both private sector and government detective work. Six of the group's hackers were indicted by the US Department of Justice in October 2020 with a long rap sheet that includes those blackouts. The cyberattacks occurred in the early years of Russia's war in Ukraine, during active fighting in the eastern region of the country, which makes it easier to argue they occurred in the context of a military conflict and thus constitute a war crime. They have a clear civilian target, given that no military operations were occurring in Western Ukraine or Kyiv at the times of the blackouts there. And perhaps most importantly, they had a clear and direct physical result, which makes for a simpler case that they were equivalent to the sort of physical attacks that war crimes tribunals have charged in the past.

“If you're going to do this, now is the time.”

John Hultquist, VP of intelligence analysis at Mandiant 

On top of all of that, Freeman points to the seriousness of Sandworm's attacks on civilian power grids. In the 2016 incident in Kyiv in particular, the hackers used a piece of malware known as Industroyer or Crash Override to automatically trigger that power outage. Although that blackout in Ukraine's capital lasted only about an hour, a 2019 analysis of the attack found that a component of the malware intended to disable safety systems was designed to cause physical destruction of electrical equipment, and only failed due to a misconfiguration in the malware. “A cyber weapon that is able to interact with an actual electrical system or an industrial control system and result in kinetic harm is extremely dangerous,” says Freeman. “The power grid attacks are the ones that really cross the line where it's clear we should just say, ‘No state should be attacking critical infrastructure for civilians.’”

If war crimes charges could serve as a punitive measure capable of deterring that sort of critical infrastructure cyberattack, it makes sense to bring them against a group like Sandworm now, says John Hultquist, who leads threat intelligence at cybersecurity firm Mandiant and has tracked Sandworm for the better part of a decade, even naming the group in 2014. The Biden administration has repeatedly warned that Western sanctions against Russia may lead the country to lash out with cyberattacks against targets in the United States or Europe. “We need to be doing everything we can right now to prepare for Sandworm or deter them,” says Hultquist. “If you're going to do this, now is the time.”

On the other hand, Hultquist, a combat veteran who served in Afghanistan and Iraq, also wonders whether cyber war crimes should be a priority given Russia's ongoing physical war crimes in Ukraine. “There's a stark difference between cyberattacks and attacks on the physical ground right now,” he says. “You simply cannot achieve the same effects with cyberattacks that you can when you're bombing things and tanks are rolling down streets.”

Berkeley's Freeman agrees that any ICC charges against Sandworm for cyber war crimes shouldn't detract or distract from its investigation of traditional war crimes in Ukraine. But those ongoing, on-the-ground war crime investigations are likely to take years to bear fruit, she says; the investigation and prosecution of war crimes in Yugoslavia's 1990s conflict, for instance, took decades. Freeman argues that prosecuting Sandworm for Russia's 2015 and 2016 cyberattacks, by contrast, would be “low-hanging fruit,” given the evidence already assembled by security researchers and Western governments of the group's culpability. That means it could offer immediate results while other Russian war crimes investigations continue. “A lot of what you need to try this case is there,” says Freeman. “You could bring this case to get some justice, as a first step, while other investigations are ongoing.”

Sandworm's hackers already face criminal charges in the US. And last month, the State Department went so far as to issue a bounty of up to $10 million for information that could lead to the capture of the six hackers. But Freeman argues that the gravity of convicting the hackers as war criminals would have a larger deterrent effect, and might help actually lead to their arrest, as well. She points out that 123 countries are parties to the Rome Statute and obliged to help capture convicted war criminals—including some countries that don't have extradition treaties with the United States, such as Switzerland, Ecuador, and Cuba, which might otherwise serve as safe havens for the hackers.

“Sandworm is continually active, and continually executing serious attacks with impunity.”

Lindsay Freeman, director of technology, law, and policy at the Human Rights Center, UC Berkeley School of Law

If ICC prosecutors did bring war crimes charges against Sandworm for its blackout attacks, the case would have to clear certain legal hurdles, says Bobby Chesney, director of the Strauss Center for International Security and Law at the University of Texas Law School. They'd have to convince the court that the attacks occurred in the context of war, for instance, and that the power grid wasn't a military target, or that the attacks disproportionately affected civilians, he says.

But the more fundamental idea of extending the international laws of war to cover cyberattacks with physical effects—while unprecedented in ICC cases—is an easy argument to make, he says.

“All you have to do is ask, ‘What if the Russians had set up bombs at the relevant electrical substations to achieve the same effect? Is that a war crime?’ That's the exact same sort of question,” says Chesney. He compares the new “cyber domain” of warfare to other kinds of warfare like aerial and submarine warfare, which were once new modes of war but no less subject to international law. “For all these new operational domains, extending the existing law-of-war concepts of proportionality and distinctions to them is a no-brainer.”

But the cyber domain is nonetheless different, says Freeman: It has no borders, and it allows attackers to instantly reach across the world, regardless of distance. And that makes holding Russia's most dangerous hackers accountable all the more urgent. “Sandworm is continually active, and continually executing serious attacks with impunity,” she says. “The risk it presents is incredibly serious, and it puts the entire world at the front lines of this conflict.”

https://www.wired.com/category/security/feed/