UKRAINE: Timeline of Cyberattacks

1. What does the armed conflict between the Russian Federation and Ukraine mean for the work of the CyberPeace Institute?

Firstly, it is important to recognize the extreme suffering of the civilian population in Ukraine who are subject to military attack. The consequences for people are devastating as they have to make the choice to stay and risk their lives as the hostilities increasingly affect civilian areas, or flee the fighting for an uncertain future of displacement and separation from family members, their homes and livelihoods.

Ukraine is currently subject to attacks from traditional weapons as well as cyberattacks and operations.

Through the Ukraine: Timeline of Cyberattacks, the CyberPeace Institute is tracking how cyberattacks and operations are, and have been, targeting critical infrastructure and civilian objects. This is important in order to identify harm and risks to civilian populations. 

2. Why is it important to track cyberattacks and operations against Ukraine?

In recent weeks there has been a significant escalation in the number of reported cyberattacks against Ukrainian institutions, organizations and the wider civilian population. It is important to document such attacks as they pose real threats to people, critical infrastructure and the functioning of society. 

The targeting of critical infrastructure raises particular concern as this infrastructure is essential for the survival of the civilian population. Attacks on infrastructure such as energy, water and sanitation facilities, healthcare, financial institutions, transport and communication services can have devastating consequences on the civilian population.

Beyond the risks to critical infrastructure and civilian objects, cyberattacks sow distrust and limit access to accurate information or spread false information. They can also be highly disruptive and create a sense of fear and uncertainty and even lead to the displacement of people.

Collecting information about cyberattacks and operations is important to call for people to be spared from attack, to recall the applicable legal obligations that parties to conflict must adhere to, e.g. the rules of international humanitarian law, and to document the harm to people.  In the future, it will be important to use the information to call for important developments or clarifications in relation to the use of cyber operations in armed conflicts, and for accountability.

Cyberattacks and operations have important risks beyond the actual conflict in Ukraine due to the interconnectedness of cyberspace. Because of the indiscriminate nature of cyberattacks,  a cyberattack in Ukraine could affect other countries, for example, the use of malware which can spread to other countries.  It is also highly likely that cyberattacks may originate from individuals or groups that are not direct parties to the hostilities – currently Ukraine and the Russian Federation. Such attacks may be considered as direct participation in the hostilities, and thus subject to the rules of international humanitarian law.

3. What kinds of cyberattacks are we seeing in relation to the conflict in Ukraine?

As we can all see from the media reporting from Ukraine, the main harm for the civilian population is coming from the hostilities using more traditional military weapons. However, there has been an escalation of cyberattacks in recent days. 

Cyberattacks have taken the form of attacks which aim to disrupt institutions, digital infrastructure, and to limit access to information and/or spread disinformation.

Recent history has shown that cyberattacks have harmed Ukraine’s civilian population and critical infrastructure.

Civilians, civilian objects and infrastructure ensuring the delivery of essential services must be spared from attack. The targeting of critical infrastructure raises particular concern as this infrastructure is essential for the survival of the civilian population. Attacks on infrastructure such as energy, water, healthcare, financial institutions, transport and communication services can have devastating consequences on the civilian population. Beyond the risks to critical infrastructure and civilian objects, cyberattacks sow distrust and limit access to accurate information or spread false information. On their own, and/or combined with kinetic attacks, cyberattacks can also be highly disruptive and create a sense of fear and uncertainty and accelerate violence and/or the displacement of people.

4. Does the law prohibit the use of cyber as a weapon?

Some states have developed offensive cyber capabilities, and thus cyber operations are a reality of armed conflicts today. Like any other weapon used in armed conflict, the use of cyber tools is subject to restrictions. International Humanitarian Law (IHL) applies to cyber operations during armed conflicts.

International Humanitarian Law has been formulated in a way it applies to all forms of warfare and to all kinds of weapons. The basic rules are clear and apply to any weapons, including cyber operations, in armed conflict: targeting civilians and civilian objects is forbidden, indiscriminate weapons and attacks must not be used, attacks which are disproportionate (i.e. expected to cause excessive harm) are prohibited, medical services must be respected and protected. This law aims to save lives and reduce suffering.

To give an example, this means that a party to an armed conflict is prohibited from using a missile or other weapon to attack a hospital, and it is prohibited from cyberattacks against a hospital e.g. to destroy its computers, disable medical equipment and networks, destroy or steal data, etc.

5. What does participation in hostilities mean in an age of cyber?

We are seeing that cyber operations are a reality of armed conflicts today, as States have offensive cyber capabilities. In the aftermath of Russia’s recent invasion of the territory of Ukraine, Ukraine’s Minister of Digital Transformation announced the creation of a government-led volunteer cyber army.

International humanitarian law makes a clear distinction between civilians and military armed forces and provides modalities on what it means for a person to participate directly or indirectly in an armed conflict. 

According to the International Committee of the Red Cross (ICRC) 2009 Interpretative Guidance on Direct Participation in Hostilities, “Persons take a direct part in hostilities when they commit acts aimed at supporting one party to the conflict by directly causing harm to another party, either by directly inflicting death, injury or destruction, or by directly harming the enemy’s military operations or capabilities. If and for as long as civilians commit such acts, they take a direct part in hostilities and lose their protection against attack.” 

6. What is the CyberPeace Institute calling for?

The CyberPeace Institute calls upon all actors to spare civilians, civilian objects and infrastructure which are ensuring the delivery of essential services in line with commitments, norms and international humanitarian law.

Parties to the armed conflict in Ukraine have a responsibility under international humanitarian law  to respect the civilian population and other protected persons, civilian objects and infrastructure essential to survival. (This means parties to the armed conflict must respect the four Geneva Conventions of 1949 and the first Additional Protocol of 1977.) 

The important legal principles of distinction (distinguish at all times between military objectives and civilian objects) and proportionality (prohibit attacks expected to cause excessive civilian harm) must be respected. These principles also have a direct bearing on cyber operations during armed conflicts in order to protect the civilian population against the effects of such operations.

In addition, the CyberPeace Institute is calling for restraint in the use of cyber, as well as in other attacks. 

During armed conflict harm to civilians, during military cyber operations, must be avoided. With the use of cyber, the challenge is that because of the interconnected nature of infrastructure, the inherently dual nature of infrastructure, and the difficulty to assess the impact (and unintended consequences of attacks using cyber tools) it is extremely difficult to assess potential harm to civilians and hence to do the calculation as to whether the harm caused to civilians is proportionate or excessive to the military objective.