Ukraine Symposium – Military Networks and Cyber Operations in the War in Ukraine
When Russia launched a full-scale invasion of Ukraine in February, many expected that the kinetic military action would be accompanied by extensive cyber operations. After all, the Sandworm group, an advanced persistent threat (APT) team forming part of Russia’s Military Intelligence service (GRU) had been responsible for attacks against the Ukranian power grid in 2015 and 2016. They are also alleged to be behind releasing the NotPetya worm in 2017 that targeted government ministries, banks and energy companies in Ukraine, before causing damage in several other States.
To date, the cyber operations in Ukraine have appeared somewhat muted. In the early hours of 24 February, as Russian troops moved across the borders into Ukraine, satellite internet connections were disrupted, recently attributed by US officials to the Russian military. A number of wiper viruses (HermeticWiper, IsaacWiper, and CaddyWiper) of varying degrees of sophistication have been unleashed at Ukrainian targets, including government departments at the start of the campaign (following an earlier wiper, WhisperGate, directed against government networks in January). These have been accompanied by a plethora of distributed denial of service (DDOS) attacks and website defacements, launched by both States and their proxy forces against Ukraine.
The Russian Federation’s view on the application of LOAC to cyber operations is somewhat complex, however they have agreed that the main principles of humanity, necessity, proportionality and distinction apply (UN GGE Report 2015, 28(d)). As far as these cyber incidents have a nexus to the armed conflict, they are covered by LOAC. However, the cyber operations they have conducted to date have played out at the boundaries of some of the most debated issues in the law relating to cyber operations—what constitutes an object in cyberspace and whether the disruption of functionality amounts to an “attack” as understood in the context of LOAC.
Attack against the Satellite Communications Systems
A recent incident report revealed the details of a cyber operation first conducted as the current Russian invasion of Ukraine began. Ukrainian armed forces reportedly rely heavily on satellite communications provided by the KA-SAT satellite network. Although details are minimal in the public domain, the operation, launched against the ground-based modems linking users to the communications network, allegedly caused a massive disruption to military communications at the outset of the invasion.
What is known is that several thousand civilians in Ukraine were also affected as well as tens of thousands of other broadband customers across Europe (including, for example, the remote monitoring systems of a German windfarm) as their systems were knocked offline by an attack that “overwrote key data in the flash memory on the modems” rendering the modems unusable. The satellite modem hack has resulted in ViaSat shipping over 30,000 replacement units to customers. The retrieved damaged units are then refurbished and reused; others have been repaired by issuing software updates to fix the modems remotely.
The first question is what military objective was being targeted. Without access to Russian military strategy, one must rely on general patterns. Although the method of the operation was the disabling of end-user modems, the “object of the attack” was the communications network, used by the Ukrainian armed forces, rather than the modems themselves. This is an important difference. The network is a “dual use” object, used by military and civilians alike, however that is not a term of LOAC. Under the law, something either meets the definition of a military objective, or it is a civilian object. The use of the network by the armed forces and the subsequent military advantage obtained by neutralizing the ability of the defending forces to communicate at the outset of the campaign, clearly brings it within the definition of a military objective. The remaining effect on civilian users of the network (whether inside or outside Ukraine) is to be considered in relation to the proportionality rule. Had the object of the attack been the modems, it would have constituted an indiscriminate attack.
The second question is whether the operation amounts to an attack at all under LOAC. Attacks are defined in Article 49 of Additional Protocol I as “acts of violence against the adversary, whether in offence or in defence.” It is the intended consequences of the act rather than the means of violence itself that are of relevance in determining whether an attack has taken place. It has been a significant area of debate as to which types of cyber operations might meet this threshold. All sides of the debate are agreed that cyber operations which cause death or injury to people or physical damage to objects above a de minimis level would constitute an attack (Tallinn Manual 2.0, Rule 92). However, there are differing views on whether an attack that causes a loss of functionality without causing physical damage constitutes an attack under LOAC (Tallinn Manual 2.0, Rule 92 Commentary paras. 10-12). As the cyber operations launched against Ukraine illustrate, it is these attacks against functionality that are the norm, rather than those which result in physical damage or destruction.
In the case of the KA-Sat operation, the modems were bricked (rendered useless) without any physical harm or replacement of physical components required. While Viasat has been replacing the physical modems, they have since stated that replacement of the modem is a matter of business efficiency rather than necessity, muddying the waters somewhat. Had it been necessary to replace the modems, there would be no question that the operation would have met the definition of an attack, having caused the requisite damage.
As it stands, it is clear that many users lacked the skills to fix the modems they had—customers were offline for several weeks while Viasat organized its replacement response. In my opinion, this is enough to qualify as damage for the purposes of Article 49. A modem that has had its functionality destroyed and is rendered unusable by code is just as unusable as one that has had its functionality destroyed by kinetic means. Others may argue that the fact that they are not permanently disabled should play some role in determining whether the operation constitutes an attack. Such a question is misplaced because it is not a mere question of turning a switch back on, but rather involves rebuilding or resetting the modem.
Wiper Attacks against Governmental Systems
A clearer example of the destructive power of code on the functionality of a system can be seen in the wiper viruses unleashed against Ukrainian targets. Wipers are an extremely destructive form of malware, rendering computer systems inoperable by wiping and rewriting data, including the master boot record of the computer so that it cannot operate. The malware destroys functionality without physical damage of any kind. So are these attacks?
As noted above, some commentators have suggested that the operation must result in damage that requires the replacement of physical components to qualify as an attack (see, e.g., Tallinn Manual 2.0, Rule 92 Commentary para. 10 for a breakdown of the varying opinions within that group). The International Committee of the Red Cross is of the view that, during an armed conflict, an operation designed to disable a computer or computer network constitutes an attack, whether it is disabled through kinetic or cyber means (see, e.g., ICRC Challenges Report 2015, p41).
Under the first approach, it is worth noting that none of the cyber operations so far recorded in Ukraine would qualify as “attacks” as there is no physical damage caused as a result. This author has argued elsewhere that cyber operations that destroy the functionality of a computer system without causing physical damage could constitute an attack under the IHL.
The waves of wipers have targeted banks, government departments, government contractors and other organizations. Details of the targets are not available in the public domain, however it is clear that not all systems affected would constitute legitimate military objectives. This raises the second extensively debated issue—whether data itself can be an objective. This question is distinct, albeit related, from the question of whether the wiper malware amounts to an attack.
While the issue is of importance, unfortunately the lack of detail about the systems that have been affected makes any proper analysis impossible. Interesting to note is that of the three wipers deployed to date, only HermeticWiper appears to be sophisticated enough to target particular data within a system. Likewise, although the initial access vectors are as yet unknown, it appears that different vectors may have been used for different organizations, indicating a more targeted approach than an indiscriminate spread of malware. The lateral movement and spread of HermeticWiper for example, is restricted to the local area network initially targeted.
Denial of Service Attacks and Web Site Defacements
The final category of cyber operations is the denial of service and web site defacements conducted by both parties to the armed conflict, their proxies, and many onlookers from around the world. Cyber operations which merely block the access to a system or website, such as these DDOS attacks, are more akin to electronic jamming and do not, without more, cause damage and therefore do not qualify as an attack within the meaning of IHL. Cyber operations that merely cause inconvenience or irritation to the civilian population do not rise to the level of an attack (see Tallinn Manual 2.0, Rule 92).
Conclusion
The cyber operations launched against Ukraine thus far have been fewer in number and less sophisticated than many expected given previous history in the area. However, they exemplify some of the most difficult issues with respect to the legal evaluation of cyber operations—namely, what is the nature of the objective targeted, what constitutes an attack, and the difficulties caused by the intermingling of civilian and military uses across networks, systems, and indeed borders. With few details available in the public domain, the answers to these questions will emerge over time.
***
Heather A. Harrison Dinniss is a Senior Lecturer at the International Law Centre of the Swedish Defence University.
Photo credit: Piqsels
RELATED POSTS
Symposium Intro: Ukraine-Russia Armed Conflict
by Sean Watts, Winston Williams, Ronald Alcala
February 28, 2022
–
Russia’s “Special Military Operation” and the (Claimed) Right of Self-Defense
February 28, 2022
–
Legal Status of Ukraine’s Resistance Forces
by Ronald Alcala and Steve Szymanski
February 28, 2022
–
Cluster Munitions and the Ukraine War
February 28, 2022
–
Neutrality in the War against Ukraine
March 1, 2022
–
The Russia-Ukraine War and the European Convention on Human Rights
March 1, 2022
–
Deefake Technology in the Age of Information Warfare
by Hitoshi Nasu
March 1, 2022
–
Ukraine and the Defender’s Obligations
by
March 2, 2022
–
Are Molotov Cocktails Lawful Weapons?
by Sean Watts
March 2, 2022
–
Application of IHL by and to Proxies: The “Republics” of Donetsk and Luhansk
by
March 3, 2022
–
Closing the Turkish Straits in Times of War
March 3, 2020
–
March 3, 2022
–
Prisoners of War in Occupied Territory
by Geoff Corn
March 3, 2022
–
Combatant Privileges and Protections
March 4, 2022
–
by Sean Watts
March 4, 2022
–
Russia’s Illegal Invasion of Ukraine & the Role of International Law
March 4, 2022
–
Russian Troops Out of Uniform and Prisoner of War Status
by
March 4, 2022
–
by
March 5, 2022
–
Providing Arms and Materiel to Ukraine: Neutrality, Co-belligerency, and the Use of Force
March 7, 2022
–
Keeping the Ukraine-Russia Jus ad Bellum and Jus in Bello Issues Separate
March 7, 2022
–
The Other Side of Civilian Protection: The 1949 Fourth Geneva Convention
by
March 7, 2022
–
Special Forces, Unprivileged Belligerency, and the War in the Shadows
by Ken Watkin
March 8, 2022
–
Accountability and Ukraine: Hurdles to Prosecuting War Crimes and Aggression
March 9, 2022
–
Remarks on the Law Relating to the Use of Force in the Ukraine Conflict
March 9, 2022
–
Consistency and Change in Russian Approaches to International Law
by Jeffrey Kahn
March 9, 2022
–
The Fog of War, Civilian Resistance, and the Soft Underbelly of Unprivileged Belligerency
by Gary Corn
March 10, 2022
–
Common Article 1 and the Conflict in Ukraine
March 10, 2022
–
Levée en Masse in Ukraine: Applications, Implications, and Open Questions
by David Wallace and Shane Reeves
March 11, 2022
–
The Attack at the Zaporizhzhia Nuclear Plant and Additional Protocol I
March 13, 2022
–
The Russia-Ukraine War and the Space Domain
by Timothy Goines, Jeffrey Biller, Jeremy Grunert
March 14, 2022
–
Fact-finding in Ukraine: Can Anything Be Learned from Yemen?
March 14, 2022
–
Status of Foreign Fighters in the Ukrainian Legion
by
March 15, 2022
–
Law Applicable to Persons Fleeing Armed Conflicts
March 15, 2022
–
March 17, 2022
–
The ICJ’s Provisional Measures Order: Unprecedented
by Ori Pomson
March 17, 2022
–
Displacement from Conflict: Old Realities, New Protections?
by Ruvi Ziegler
March 17, 2022
–
A No-Fly Zone Over Ukraine and International Law
March 18, 2022
–
Time for a New War Crimes Commission?
March 18, 2022
–
Portending Genocide in Ukraine?
by Adam Oler
March 21, 2022
–
March 21, 2022
–
Abducting Dissent: Kidnapping Public Officials in Occupied Ukraine
March 22, 2022
–
Are Thermobaric Weapons Unlawful?
March 23, 2022
–
A Ukraine No-Fly Zone: Further Thoughts on the Law and Policy
March 23, 2022
–
The War at Sea: Is There a Naval Blockade in the Sea of Azov?
by Martin Fink
March 24, 2022
–
Deportation of Ukrainian Civilians to Russia: The Legal Framework
by
March 24, 2022
–
March 28, 2022
–
Command Responsibility and the Ukraine Conflict
March 30, 2022
–
The Siren Song of Universal Jurisdiction: A Cautionary Note
bySteve Szymanski and Peter C. Combe
April 1, 2022
–
A War Crimes Primer on the Ukraine-Russia Conflict
by Sean Watts and Hitoshi Nasu
April 4, 2022
–
Russian Booby-traps and the Ukraine Conflict
by
April 5, 2022
–
The Ukraine Conflict, Smart Phones, and the LOAC of Takings
by
April 7, 2022
–
April 8, 2022
–
Weaponizing Civilians: Human Shields in Ukraine
by
April 11, 2022
–
Unprecedented Environmental Risks
by Karen Hulme
April 12, 2022
–
Maritime Exclusion Zones in Armed Conflicts
April 12, 2022
–
Ukraine’s Levée en Masse and the Obligation to Ensure Respect for LOAC
April 14, 2022
–
Cultural Property Protection in the Ukraine Conflict
by Dick Jackson
April 14, 2022
–
Results of a First Enquiry into Violations of International Humanitarian Law in Ukraine
April 14, 2022
–
Comprehensive Justice and Accountability in Ukraine
by
April 15, 2022
–
Maritime Neutrality in the Russia-Ukraine Conflict
by David Letts
April 18, 2022
–
Cyber Neutrality, Cyber Recruitment, and Cyber Assistance to Ukraine
April 19, 2022
–
Defiance of Russia’s Demand to Surrender and Combatant Status
by Chris Koschnitzky and Steve Szymanski
April 22, 2022
–
The Montreux Convention and Turkey’s Impact on Black Sea Operations
andApril 25, 2022
–
andApril 26, 2022
–
Litigating Russia’s Invasion of Ukraine
April 27, 2022