Menu
Menu
A new publicly available resource, the ‘Cyber Attacks in Times of Conflict Platform #Ukraine’, provides insights on how cyber attacks and operations, since the invasion of Ukraine by forces of the Russian Federation and the ongoing conflict, impact civilians.
Last updated on June 8, 2022
Against the backdrop of the military invasion of Ukraine, the CyberPeace Institute is tracking how cyberattacks and operations are, and have been, targeting critical infrastructure and civilian objects.
In recent weeks there has been a significant escalation in the number of reported cyberattacks against Ukrainian institutions, organizations, including humanitarian NGOs, and the wider population. Ukraine is no stranger to being on the receiving-end of cyberattacks and the timeline below tracks the most significant incidents to date.
The tracking of cyberattacks and incidents as they become public is important in order to record these attacks and identify – where possible – the harm and risks for civilian populations. Cyberattacks affect people and risk lives. In the future, it will be important to use the information on cyberattacks to identify developments or clarifications of the law in relation to the use of cyber operations in armed conflicts, and for accountability including in any future judicial proceedings.
The targeting of critical infrastructure raises particular concern as this infrastructure is essential for the survival of the civilian population. Attacks on infrastructure such as energy, water, healthcare, financial institutions, transport and communication services can have devastating consequences on the civilian population. NGOs responding to the humanitarian needs of the population in Ukraine and neighboring countries are targeted by cyberattacks in order to disrupt their activities.
Beyond the risks to critical infrastructure and civilian objects, cyberattacks sow distrust and limit access to accurate information or spread false information. They can also be highly disruptive and create a sense of fear and uncertainty and even lead to the eventual displacement of people.
The important legal principles of distinction (distinguish at all times between military objectives and civilian objects) and proportionality (prohibit attacks expected to cause excessive civilian harm) have a direct bearing on cyber operations during armed conflicts in order to protect the civilian population against the effects of such operations.
Frequently Asked Questions on the laws of armed conflict with a focus on cyber.
The CyberPeace Institute’s mission is to reduce the scale and frequency of cyberattacks against vulnerable communities, provide assistance and advocate for respect of laws and norms. Thus, documenting cyberattacks is important to understand the harm caused to people. The CyberPeace Builders program is a trustworthy volunteer network designed to help humanitarian NGOs strengthen their cybersecurity.
Factsheet on Ukraine conflict and the work of the CyberPeace Institute.
Crucial to the work of the Institute are open source research by our small team of experts. Can you support the Institute’s data collection?
The CyberPeace Institute has concentrated its data collection efforts on the harm caused by cyberattacks and operations in Ukraine and calls upon all actors to spare civilians and infrastructure which are ensuring the delivery of essential services.
To better understand the harm and impact of cyber incidents and who is responsible, directly or indirectly, we collect publicly available information (see Data Sources section below). We carefully select the scope of cyber incidents collected and the indicators required for future analysis. In this section we shed light on our data collection criteria.
Types of Cyberattacks
Based on the Institute’s definition of cyberattacks we collect any attack conducted by a threat actor using a computer network or system with the intention to disrupt, disable, destroy, control, manipulate, or surveil a computing environment/infrastructure and/or data.
To date we have documented the following types of cyberattacks defined in the Institute’s Glossary: malware (including wiper malware), distributed denial of service (DDoS), malspam, disinformation campaigns, phishing campaigns and website defacements.
Categories of Targets and Victims
We concentrate data collection on cyberattacks targeting and / or impacting civilians, civilian objects and infrastructure which are ensuring the delivery of essential services in Ukraine. As far as it is possible to differentiate these from civilian objects, we do not collect cyber incidents on military objects. In relation to the international armed conflict in Ukraine, we have used the following definitions in line with the rules of International Humanitarian Law (IHL):
Societal Harm
Analyzing the harm and impact of cyberattacks is at the heart of the Institute’s work. We are in the process of developing indicators and a methodology to document and measure the harm and impact of cyberattacks on people, organizations and society. As a first step, we collect information on the harm and impact of cyberattacks as they are reported by the source of the information. Insofar as it is possible we document quantitative data such as the duration of a given impact or the number of individuals affected.
Listed below are core categories of harm / impact we document when the information is available: geographical, operational, temporal, communication, informational / data, financial, societal, psychological, digital, physical (on people such as injury / death) and re-victimization.
Attribution
The Institute does not conduct its own attribution of incidents but documents the attribution efforts of others. The challenges and complexity in the attribution of cyberattacks can be summarized by a three-tiered approach to categorizing the attribution of a cyberattack to an actor or actors: technical, political and legal attribution.
When recording the attribution of incidents we do so in the following format:
Type of threat actor (and their national allegiance if relevant) – Threat Actor Name*
[Type attribution by Attributing Entity with a link to the source]
* any indication of uncertainty relating to the attribution
For example:
Belarus APT Group – GHOSTWRITER / UNC1151*
[Technical Attribution by Proofpoint]
* attribution is tentative
Data Sources
For the purpose of this timeline, the Institute collects publicly available (open source) information on cyberattacks through the monitoring of:
Every identified incident, and the associated content, is reviewed by at least two internal analysts and, wherever possible, the incident is linked to at least two separate sources of information. We continuously scan for information on previous incidents to update the timeline on societal harm and attribution which is often reported significantly after the actual incident.
The Institute is looking to expand its data collection stream and to integrate closed sources in order to gain a more comprehensive understanding of the threats and harms posed by cyberattacks related to the conflict in Ukraine. More specifically we seek to learn about or from humanitarian non-governmental organizations targeted by cyberattacks in order to understand the impact on operations and responses to the civilian population and other protected persons.
If you are interested in contributing to this project please reach out to us at [email protected] .
Firstly, it is important to recognize the extreme suffering of the civilian population in Ukraine who are subject to military attack. The consequences for people are devastating as they have to make the choice to stay and risk their lives as the hostilities increasingly affect civilian areas, or flee the fighting for an uncertain future of displacement and separation from family members, their homes and livelihoods.
Ukraine is currently subject to attacks from traditional weapons as well as cyberattacks and operations.
Through the Ukraine: Timeline of Cyberattacks, the CyberPeace Institute is tracking how cyberattacks and operations are, and have been, targeting critical infrastructure and civilian objects. This is important in order to identify harm and risks to civilian populations.
In recent weeks there has been a significant escalation in the number of reported cyberattacks against Ukrainian institutions, organizations and the wider civilian population. It is important to document such attacks as they pose real threats to people, critical infrastructure and the functioning of society.
The targeting of critical infrastructure raises particular concern as this infrastructure is essential for the survival of the civilian population. Attacks on infrastructure such as energy, water and sanitation facilities, healthcare, financial institutions, transport and communication services can have devastating consequences on the civilian population.
Beyond the risks to critical infrastructure and civilian objects, cyberattacks sow distrust and limit access to accurate information or spread false information. They can also be highly disruptive and create a sense of fear and uncertainty and even lead to the displacement of people.
Collecting information about cyberattacks and operations is important to call for people to be spared from attack, to recall the applicable legal obligations that parties to conflict must adhere to, e.g. the rules of international humanitarian law, and to document the harm to people. In the future, it will be important to use the information to call for important developments or clarifications in relation to the use of cyber operations in armed conflicts, and for accountability.
Cyberattacks and operations have important risks beyond the actual conflict in Ukraine due to the interconnectedness of cyberspace. Because of the indiscriminate nature of cyberattacks, a cyberattack in Ukraine could affect other countries, for example, the use of malware which can spread to other countries. It is also highly likely that cyberattacks may originate from individuals or groups that are not direct parties to the hostilities – currently Ukraine and the Russian Federation. Such attacks may be considered as direct participation in the hostilities, and thus subject to the rules of international humanitarian law.
As we can all see from the media reporting from Ukraine, the main harm for the civilian population is coming from the hostilities using more traditional military weapons. However, there has been an escalation of cyberattacks in recent days.
Cyberattacks have taken the form of attacks which aim to disrupt institutions, digital infrastructure, and to limit access to information and/or spread disinformation.
Recent history has shown that cyberattacks have harmed Ukraine’s civilian population and critical infrastructure.
Civilians, civilian objects and infrastructure ensuring the delivery of essential services must be spared from attack. The targeting of critical infrastructure raises particular concern as this infrastructure is essential for the survival of the civilian population. Attacks on infrastructure such as energy, water, healthcare, financial institutions, transport and communication services can have devastating consequences on the civilian population. Beyond the risks to critical infrastructure and civilian objects, cyberattacks sow distrust and limit access to accurate information or spread false information. On their own, and/or combined with kinetic attacks, cyberattacks can also be highly disruptive and create a sense of fear and uncertainty and accelerate violence and/or the displacement of people.
Some states have developed offensive cyber capabilities, and thus cyber operations are a reality of armed conflicts today. Like any other weapon used in armed conflict, the use of cyber tools is subject to restrictions. International Humanitarian Law (IHL) applies to cyber operations during armed conflicts.
International Humanitarian Law has been formulated in a way it applies to all forms of warfare and to all kinds of weapons. The basic rules are clear and apply to any weapons, including cyber operations, in armed conflict: targeting civilians and civilian objects is forbidden, indiscriminate weapons and attacks must not be used, attacks which are disproportionate (i.e. expected to cause excessive harm) are prohibited, medical services must be respected and protected. This law aims to save lives and reduce suffering.
To give an example, this means that a party to an armed conflict is prohibited from using a missile or other weapon to attack a hospital, and it is prohibited from cyberattacks against a hospital e.g. to destroy its computers, disable medical equipment and networks, destroy or steal data, etc.
We are seeing that cyber operations are a reality of armed conflicts today, as States have offensive cyber capabilities. In the aftermath of Russia’s recent invasion of the territory of Ukraine, Ukraine’s Minister of Digital Transformation announced the creation of a government-led volunteer cyber army.
International humanitarian law makes a clear distinction between civilians and military armed forces and provides modalities on what it means for a person to participate directly or indirectly in an armed conflict.
According to the International Committee of the Red Cross (ICRC) 2009 Interpretative Guidance on Direct Participation in Hostilities, “Persons take a direct part in hostilities when they commit acts aimed at supporting one party to the conflict by directly causing harm to another party, either by directly inflicting death, injury or destruction, or by directly harming the enemy’s military operations or capabilities. If and for as long as civilians commit such acts, they take a direct part in hostilities and lose their protection against attack.”
The CyberPeace Institute calls upon all actors to spare civilians, civilian objects and infrastructure which are ensuring the delivery of essential services in line with commitments, norms and international humanitarian law.
Parties to the armed conflict in Ukraine have a responsibility under international humanitarian law to respect the civilian population and other protected persons, civilian objects and infrastructure essential to survival. (This means parties to the armed conflict must respect the four Geneva Conventions of 1949 and the first Additional Protocol of 1977.)
The important legal principles of distinction (distinguish at all times between military objectives and civilian objects) and proportionality (prohibit attacks expected to cause excessive civilian harm) must be respected. These principles also have a direct bearing on cyber operations during armed conflicts in order to protect the civilian population against the effects of such operations.
In addition, the CyberPeace Institute is calling for restraint in the use of cyber, as well as in other attacks.
During armed conflict harm to civilians, during military cyber operations, must be avoided. With the use of cyber, the challenge is that because of the interconnected nature of infrastructure, the inherently dual nature of infrastructure, and the difficulty to assess the impact (and unintended consequences of attacks using cyber tools) it is extremely difficult to assess potential harm to civilians and hence to do the calculation as to whether the harm caused to civilians is proportionate or excessive to the military objective.
Support the CyberPeace Institute
Individual lives can be changed dramatically by the acts of cyber criminals. We need your support to assist victims of cyberattacks in the NGO, humanitarian and healthcare sectors.
Subscribe to our newsletter
Receive monthly news on what’s happening at the Institute: our impact, publications, events and important milestones.
Keep up to date with the latest at the CyberPeace Institute
The CyberPeace Institute’s staff and experts generate their own work and ideas consistent with the Institute’s mission. The Institute maintains strict intellectual independence for all its projects, events, and publications. The Institute maintains independent control of the content and conclusions of any products resulting from sponsored projects.