![](\"https:\/\/media.wired.com\/photos\/627c5334b6cfd378a30c46ca\/master\/pass\/War-Crimes-Russia-Security-GettyImages-1240594842.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Andy Greenberg| Date: Thu, 12 May 2022 11:00:00 +0000<\/strong><\/p>\n Andy Greenberg<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n For weeks, evidence<\/span> has been piling up of the Russian military's apparent war crimes in the midst of its brutal invasion of Ukraine: mass graves, bombed hospitals, even makeshift torture chambers. But amidst those atrocities\u2014and the push to hold the perpetrators accountable\u2014one group is making the counterintuitive case that another arm of the Russian military should be included in any international war crimes charges: the Kremlin's most disruptive and dangerous hackers.<\/p>\n In late March, a group of human rights lawyers and investigators in the Human Rights Center at UC Berkeley's School of Law sent a formal request to the Office of the Prosecutor for the International Criminal Court (ICC) in the Hague. It urges the ICC to consider war crime prosecutions of Russian hackers for their cyberattacks in Ukraine\u2014even as the prosecutors gather evidence of more traditional, ongoing war crimes there. Specifically, the Human Rights Center's international criminal investigations team points in its detailed brief to Sandworm<\/a>, a notorious group of hackers within Russia's GRU military intelligence agency, and to two of Sandworm's most egregious acts of cyberwarfare: blackouts that those hackers triggered by targeting electric utilities in Western Ukraine in December 2015<\/a> and in the capital, Kyiv, a year later<\/a>, affecting hundreds of thousands of civilians.<\/p>\n \u201cAn investigation into Russia\u2019s hostile cyber operations would shine a light on tactics against which few civilians know how to protect themselves.\u201d<\/p>\n Berkeley Human Rights Center\u2019s letter to the ICC<\/p>\n The Berkeley group's document was sent under a provision of the Rome Statute treaty, which gives the ICC its authority, allowing recommendations from nongovernmental organizations. It asks the ICC's prosecutor, Karim Khan, \u201cto expand the scope of his investigation to include the cyber domain in addition to traditional domains of warfare\u2013land, air, maritime, and space\u2013given the Russian Federation\u2019s history of hostile cyber activities in Ukraine.\u201d The brief acknowledges that charges against Sandworm would represent the first case of \u201ccyber war crimes\u201d ever brought by the ICC. But it argues that precedent would help not only to seek justice for those harmed by Sandworm's cyberattacks, but also to deter future, potentially worse cyberattacks affecting critical civilian infrastructure around the world.<\/p>\n \u201cIn fact, in the absence of consequences or any mechanisms for meaningful accountability, State-sponsored cyberattacks have escalated in the shadows,\u201d reads the Human Rights Center's Article 15 document sent to the ICC and shared with WIRED. \u201cAn investigation into Russia\u2019s hostile cyber operations would shine a light on tactics against which few civilians know how to protect themselves.\u201d<\/p>\n Lindsay Freeman, the director of technology, law, and policy at the Human Rights Center, tells WIRED the ICC prosecutor's office responded privately to the group, saying it had received and is considering the group's recommendations. The ICC prosecutor's office didn't respond to WIRED's request for comment.<\/p>\n Freeman argues that the ICC prosecutor's office, which has been investigating ongoing war crimes in Russia's Ukraine invasion\u2014along with the governments of Ukraine, Poland, and Lithuania and the European law enforcement agency\u2014needs to demonstrate that its remit includes cyberattacks that violate the international laws of armed conflict. \u201cWe would like to make sure they're seeing the cyber domain as an actual domain of warfare, because in this case, it truly is,\u201d says Freeman. She emphasizes that any cyber war crime charges should be in addition to, not instead of, charges for the ongoing massacres, reckless killing of civilians, and mass deportations in Ukraine. But she adds that \u201cthe only way you can properly investigate and understand this conflict is through seeing not just what's happening in the physical world, but also what's happening in the cyber and information spaces, and this is not something war crimes investigators have ever paid attention to.\u201d<\/p>\n Since Russia's last major invasion of Ukraine began in 2014, Russia has targeted the country with a years-long bombardment of cyberattacks<\/a> of a kind never before seen in history. The GRU's Sandworm hackers alone have attempted three blackouts in the country<\/a>\u2014at least two of which succeeded; destroyed the networks of media outlets, private companies, and government agencies in targeted attacks; and in 2017 released the destructive, self-spreading NotPetya malware<\/a> that infected hundreds of organizations across Ukraine and eventually many more around the world, causing a record-breaking $10 billion in damage.<\/p>\n With the current, larger-scale invasion Russia launched on February 24, the Kremlin's state-sponsored hackers have unleashed a broad new campaign of destructive hacking against hundreds of Ukrainian targets<\/a>, often carefully coordinated with physical military tactics. That new barrage included one cyberattack in which GRU hackers targeted Viasat satellite systems<\/a>, knocking out broadband connections across Ukraine and Europe<\/a>, including those of thousands of wind turbines in Germany.<\/p>\n Freeman says that the UC Berkeley Human Rights Center's recommendations for war crime charges, which was sent to the ICC before some of the most recent cyberattacks fully came to light, single out Sandworm's two blackout attacks in 2015 and 2016 for legal and practical reasons: They've already been thoroughly investigated and pinned on Sandworm's hackers through both private sector and government detective work. Six of the group's hackers were indicted by the US Department of Justice in October 2020<\/a> with a long rap sheet that includes those blackouts. The cyberattacks occurred in the early years of Russia's war in Ukraine, during active fighting in the eastern region of the country, which makes it easier to argue they occurred in the context of a military conflict and thus constitute a war crime. They have a clear civilian target, given that no military operations were occurring in Western Ukraine or Kyiv at the times of the blackouts there. And perhaps most importantly, they had a clear and direct physical result, which makes for a simpler case that they were equivalent to the sort of physical attacks that war crimes tribunals have charged in the past.<\/p>\n \u201cIf you're going to do this, now is the time.\u201d<\/p>\n John Hultquist, VP of intelligence analysis at Mandiant\u00a0<\/p>\n On top of all of that, Freeman points to the seriousness of Sandworm's attacks on civilian power grids. In the 2016 incident in Kyiv in particular, the hackers used a piece of malware known as Industroyer or Crash Override to automatically trigger that power outage. Although that blackout in Ukraine's capital lasted only about an hour, a 2019 analysis of the attack<\/a> found that a component of the malware intended to disable safety systems was designed to cause physical destruction of electrical equipment, and only failed due to a misconfiguration in the malware. \u201cA cyber weapon that is able to interact with an actual electrical system or an industrial control system and result in kinetic harm is extremely dangerous,\u201d says Freeman. \u201cThe power grid attacks are the ones that really cross the line where it's clear we should just say, \u2018No state should be attacking critical infrastructure for civilians.\u2019\u201d<\/p>\n If war crimes charges could serve as a punitive measure capable of deterring that sort of critical infrastructure cyberattack, it makes sense to bring them against a group like Sandworm now, says John Hultquist, who leads threat intelligence at cybersecurity firm Mandiant and has tracked Sandworm for the better part of a decade, even naming the group in 2014. The Biden administration has repeatedly warned that Western sanctions against Russia may lead the country to lash out with cyberattacks against targets in the United States or Europe<\/a>. \u201cWe need to be doing everything we can right now to prepare for Sandworm or deter them,\u201d says Hultquist. \u201cIf you're going to do this, now is the time.\u201d<\/p>\n On the other hand, Hultquist, a combat veteran who served in Afghanistan and Iraq, also wonders whether cyber war crimes should be a priority given Russia's ongoing physical war crimes in Ukraine. \u201cThere's a stark difference between cyberattacks and attacks on the physical ground right now,\u201d he says. \u201cYou simply cannot achieve the same effects with cyberattacks that you can when you're bombing things and tanks are rolling down streets.\u201d<\/p>\n Berkeley's Freeman agrees that any ICC charges against Sandworm for cyber war crimes shouldn't detract or distract from its investigation of traditional war crimes in Ukraine. But those ongoing, on-the-ground war crime investigations are likely to take years to bear fruit, she says; the investigation and prosecution of war crimes in Yugoslavia's 1990s conflict, for instance, took decades. Freeman argues that prosecuting Sandworm for Russia's 2015 and 2016 cyberattacks, by contrast, would be \u201clow-hanging fruit,\u201d given the evidence already assembled by security researchers and Western governments of the group's culpability. That means it could offer immediate results while other Russian war crimes investigations continue. \u201cA lot of what you need to try this case is there,\u201d says Freeman. \u201cYou could bring this case to get some<\/em> justice, as a first step, while other investigations are ongoing.\u201d<\/p>\n