Sandworm Under the Gun for War Crimes

10513781884?profile=RESIZE_400xThere is serious legal reasoning that cyber-attacks against a nation’s critical infrastructure could be reasoned as a war crime.[1]  The University of California (UC), Berkeley Human Rights Center’s recent recommendations for war crime charges against the Sandworm hacking group, which was sent to the International Crimes Commission (ICC) before some of the most recent cyberattacks fully came to light, single out Sandworm’s two blackout attacks in 2015 and 2016 for legal and practical reasons: Sandworm has already been thoroughly investigated through both private sector and government detective work and six (6) of the group’s hackers were indicted by the US Department of Justice in October 2020 with a long charge sheet that includes those blackouts.  

The cyberattacks occurred in the early years of Russia’s war in Ukraine, during active fighting in the eastern region of the country, which makes it easier to argue they occurred in the context of a military conflict and thus constitute a war crime.  The Russian hacking group had a clear civilian target, given that no military operations were occurring in Western Ukraine or Kyiv at the time of the Ukraine blackouts.  More important is the hackers had a clear and direct destructive physical result, which makes for a simpler case that they were equivalent to the sort of physical attacks that war crimes tribunals have charged in the past.

Legal experts point to the seriousness of Sandworm attacks on civilian power grids.  In the 2016 incident in Kyiv in particular, the hackers used a piece of malware known as Industroyer or Crash Override to automatically trigger those power outages.  Although that blackout in Ukraine’s capital lasted only about an hour, a 2019 analysis of the attack found that a component of the malware intended to disable safety systems and was designed to cause physical destruction of electrical equipment, and only failed due to a misconfiguration in the malware.  “A cyberweapon that is able to interact with an actual electrical system or an industrial control system and result in kinetic harm is extremely dangerous,” says UC.  “The power grid attacks are the ones that really cross the line where it’s clear we should just say, ‘No state should be attacking critical infrastructure for civilians.’ ”

If war crimes charges could serve as a punitive measure capable of deterring that sort of critical infrastructure cyberattack, it makes sense to bring them against a group like Sandworm now, says a leading cybersecurity firm Mandiant which helped track Sandworm for close to a decade, even naming the group in 2014.  The current US administration has repeatedly warned that Western sanctions against Russia may lead the country to lash out with cyberattacks against targets in the US or Europe. “We need to be doing everything we can right now to prepare for Sandworm or deter them,” says Mandiant.  “If you’re going to do this, now is the time.”

Others contemplate whether cyberwar crimes should be a priority given Russia’s ongoing physical war crimes in Ukraine. “There’s a stark difference between cyberattacks and attacks on the physical ground right now,” researchers say.  “You simply cannot achieve the same effects with cyberattacks that you can when you’re bombing things and tanks are rolling down streets.”

UC agrees that any ICC charges against Sandworm for cyberwar crimes should not detract or distract from its investigation of traditional war crimes in Ukraine.  But those ongoing, on-the-ground war crime investigations are likely to take years to bear fruit, they say; the investigation and prosecution of war crimes in Yugoslavia’s 1990s conflict, as an example, took decades.  UC argues that prosecuting Sandworm for Russia’s 2015 and 2016 cyberattacks, by contrast, would be “low-hanging fruit,” given the evidence already assembled by security researchers and Western governments of the group’s culpability.  That means it could offer immediate results while other Russian war crimes investigations continue. “A lot of what you need to try in this case is there,” says UC.  “You could bring this case to get some justice, as a first step, while other investigations are ongoing.  Sandworm is continually active, and continually executing serious attacks with impunity.”

Sandworm’s hacking group is already facing criminal charges in the US.  And last month, the US State Department has now issued a bounty of up to $10 million for information that could lead to the capture of the six hackers.  Legal experts argue that the gravity of convicting the Sandworm hackers as war criminals would have a larger deterrent effect, and might help lead to their arrest, as well.  One hundred and twenty-three (123) countries are parties to the ‘Rome Statute’ and are obliged to help capture convicted war criminals, including some countries that do not have extradition treaties with the US, such as Switzerland and Ecuador, which might otherwise serve as safe havens for the hackers.[2]

If ICC prosecutors did bring war crimes charges against Sandworm for its blackout attacks, the case would have to clear certain legal hurdles, says the director of the Strauss Center for International Security and Law at the University of Texas Law School.  They would have to convince the court that the attacks occurred in the context of war, for instance, and that the power grid was not a military target, or that the attacks disproportionately affected civilians, UT says.  But the more fundamental idea of extending the international laws of war to cover cyberattacks with physical effects, while unprecedented in ICC cases, is an easy argument to make, they say.  “All you have to do is ask, ‘What if the Russians had set up bombs at the relevant electrical substations to achieve the same effect? Is that a war crime?’ That’s the exact same sort of question,” says the director.  He compares the new “cyber domain” of warfare to other kinds of warfare like aerial and submarine warfare, which were once new modes of war but no less subject to international law.  “For all these new operational domains, extending the existing law-of-war concepts of proportionality and distinctions to them is a no-brainer.”

But the cyber domain is nonetheless different.  It has no borders, and it allows attackers to instantly reach across the world, regardless of distance.  And that makes holding Russia’s most dangerous hackers accountable all the more urgent.  “Sandworm is continually active, and continually executing serious attacks with impunity,” UC says. “The risk it presents is incredibly serious, and it puts the entire world at the front lines of this conflict.”

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization that wishes to share cyber security views from across the Globe.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings



E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!