Ukraine Symposium – Military Networks and Cyber Operations in the War in Ukraine

by | Apr 29, 2022

Military Networks and Cyber Operations

When Russia launched a full-scale invasion of Ukraine in February, many expected that the kinetic military action would be accompanied by extensive cyber operations. After all, the Sandworm group, an advanced persistent threat (APT) team forming part of Russia’s Military Intelligence service (GRU) had been responsible for attacks against the Ukranian power grid in 2015 and 2016. They are also alleged to be behind releasing the NotPetya worm in 2017 that targeted government ministries, banks and energy companies in Ukraine, before causing damage in several other States.

To date, the cyber operations in Ukraine have appeared somewhat muted. In the early hours of 24 February, as Russian troops moved across the borders into Ukraine, satellite internet connections were disrupted, recently attributed by US officials to the Russian military. A number of wiper viruses (HermeticWiper, IsaacWiper, and CaddyWiper) of varying degrees of sophistication have been unleashed at Ukrainian targets, including government departments at the start of the campaign (following an earlier wiper, WhisperGate, directed against government networks in January). These have been accompanied by a plethora of distributed denial of service (DDOS) attacks and website defacements, launched by both States and their proxy forces against Ukraine.

The Russian Federation’s view on the application of LOAC to cyber operations is somewhat complex, however they have agreed that the main principles of humanity, necessity, proportionality and distinction apply (UN GGE Report 2015, 28(d)). As far as these cyber incidents have a nexus to the armed conflict, they are covered by LOAC. However, the cyber operations they have conducted to date have played out at the boundaries of some of the most debated issues in the law relating to cyber operations—what constitutes an object in cyberspace and whether the disruption of functionality amounts to an “attack” as understood in the context of LOAC.

Attack against the Satellite Communications Systems

A recent incident report revealed the details of a cyber operation first conducted as the current Russian invasion of Ukraine began. Ukrainian armed forces reportedly rely heavily on satellite communications provided by the KA-SAT satellite network. Although details are minimal in the public domain, the operation, launched against the ground-based modems linking users to the communications network, allegedly caused a massive disruption to military communications at the outset of the invasion.

What is known is that several thousand civilians in Ukraine were also affected as well as tens of thousands of other broadband customers across Europe (including, for example, the remote monitoring systems of a German windfarm) as their systems were knocked offline by an attack that “overwrote key data in the flash memory on the modems” rendering the modems unusable. The satellite modem hack has resulted in ViaSat shipping over 30,000 replacement units to customers. The retrieved damaged units are then refurbished and reused; others have been repaired by issuing software updates to fix the modems remotely.

The first question is what military objective was being targeted. Without access to Russian military strategy, one must rely on general patterns. Although the method of the operation was the disabling of end-user modems, the “object of the attack” was the communications network, used by the Ukrainian armed forces, rather than the modems themselves. This is an important difference. The network is a “dual use” object, used by military and civilians alike, however that is not a term of LOAC. Under the law, something either meets the definition of a military objective, or it is a civilian object. The use of the network by the armed forces and the subsequent military advantage obtained by neutralizing the ability of the defending forces to communicate at the outset of the campaign, clearly brings it within the definition of a military objective. The remaining effect on civilian users of the network (whether inside or outside Ukraine) is to be considered in relation to the proportionality rule. Had the object of the attack been the modems, it would have constituted an indiscriminate attack.

The second question is whether the operation amounts to an attack at all under LOAC. Attacks are defined in Article 49 of Additional Protocol I as “acts of violence against the adversary, whether in offence or in defence.” It is the intended consequences of the act rather than the means of violence itself that are of relevance in determining whether an attack has taken place. It has been a significant area of debate as to which types of cyber operations might meet this threshold. All sides of the debate are agreed that cyber operations which cause death or injury to people or physical damage to objects above a de minimis level would constitute an attack (Tallinn Manual 2.0, Rule 92). However, there are differing views on whether an attack that causes a loss of functionality without causing physical damage constitutes an attack under LOAC (Tallinn Manual 2.0, Rule 92 Commentary paras. 10-12). As the cyber operations launched against Ukraine illustrate, it is these attacks against functionality that are the norm, rather than those which result in physical damage or destruction.

In the case of the KA-Sat operation, the modems were bricked (rendered useless) without any physical harm or replacement of physical components required. While Viasat has been replacing the physical modems, they have since stated that replacement of the modem is a matter of business efficiency rather than necessity, muddying the waters somewhat. Had it been necessary to replace the modems, there would be no question that the operation would have met the definition of an attack, having caused the requisite damage.

As it stands, it is clear that many users lacked the skills to fix the modems they had—customers were offline for several weeks while Viasat organized its replacement response. In my opinion, this is enough to qualify as damage for the purposes of Article 49. A modem that has had its functionality destroyed and is rendered unusable by code is just as unusable as one that has had its functionality destroyed by kinetic means. Others may argue that the fact that they are not permanently disabled should play some role in determining whether the operation constitutes an attack. Such a question is misplaced because it is not a mere question of turning a switch back on, but rather involves rebuilding or resetting the modem.

Wiper Attacks against Governmental Systems

A clearer example of the destructive power of code on the functionality of a system can be seen in the wiper viruses unleashed against Ukrainian targets. Wipers are an extremely destructive form of malware, rendering computer systems inoperable by wiping and rewriting data, including the master boot record of the computer so that it cannot operate. The malware destroys functionality without physical damage of any kind. So are these attacks?

As noted above, some commentators have suggested that the operation must result in damage that requires the replacement of physical components to qualify as an attack (see, e.g., Tallinn Manual 2.0, Rule 92 Commentary para. 10 for a breakdown of the varying opinions within that group). The International Committee of the Red Cross is of the view that, during an armed conflict, an operation designed to disable a computer or computer network constitutes an attack, whether it is disabled through kinetic or cyber means (see, e.g., ICRC Challenges Report 2015, p41).

Under the first approach, it is worth noting that none of the cyber operations so far recorded in Ukraine would qualify as “attacks” as there is no physical damage caused as a result. This author has argued elsewhere that cyber operations that destroy the functionality of a computer system without causing physical damage could constitute an attack under the IHL.

The waves of wipers have targeted banks, government departments, government contractors and other organizations. Details of the targets are not available in the public domain, however it is clear that not all systems affected would constitute legitimate military objectives. This raises the second extensively debated issue—whether data itself can be an objective. This question is distinct, albeit related, from the question of whether the wiper malware amounts to an attack.

While the issue is of importance, unfortunately the lack of detail about the systems that have been affected makes any proper analysis impossible. Interesting to note is that of the three wipers deployed to date, only HermeticWiper appears to be sophisticated enough to target particular data within a system. Likewise, although the initial access vectors are as yet unknown, it appears that different vectors may have been used for different organizations, indicating a more targeted approach than an indiscriminate spread of malware. The lateral movement and spread of HermeticWiper for example, is restricted to the local area network initially targeted.

Denial of Service Attacks and Web Site Defacements

The final category of cyber operations is the denial of service and web site defacements conducted by both parties to the armed conflict, their proxies, and many onlookers from around the world. Cyber operations which merely block the access to a system or website, such as these DDOS attacks, are more akin to electronic jamming and do not, without more, cause damage and therefore do not qualify as an attack within the meaning of IHL. Cyber operations that merely cause inconvenience or irritation to the civilian population do not rise to the level of an attack (see Tallinn Manual 2.0, Rule 92).

Conclusion

The cyber operations launched against Ukraine thus far have been fewer in number and less sophisticated than many expected given previous history in the area. However, they exemplify some of the most difficult issues with respect to the legal evaluation of cyber operations—namely, what is the nature of the objective targeted, what constitutes an attack, and the difficulties caused by the intermingling of civilian and military uses across networks, systems, and indeed borders. With few details available in the public domain, the answers to these questions will emerge over time.

***

Heather A. Harrison Dinniss is a Senior Lecturer at the International Law Centre of the Swedish Defence University.

 

 

Photo credit: Piqsels

RELATED POSTS

​​​​​​​​​​​​​​Symposium Intro: Ukraine-Russia Armed Conflict

by 

February 28, 2022

Russia’s “Special Military Operation” and the (Claimed) Right of Self-Defense

by 

February 28, 2022

Legal Status of Ukraine’s Resistance Forces

by Ronald Alcala and Steve Szymanski

February 28, 2022

Cluster Munitions and the Ukraine War

by 

February 28, 2022

Neutrality in the War against Ukraine

by 

March 1, 2022

The Russia-Ukraine War and the European Convention on Human Rights

by 

March 1, 2022

Deefake Technology in the Age of Information Warfare

by 

March 1, 2022

Ukraine and the Defender’s Obligations

by 

March 2, 2022

Are Molotov Cocktails Lawful Weapons?

by 

March 2, 2022

Application of IHL by and to Proxies: The “Republics” of Donetsk and Luhansk

by 

March 3, 2022

Closing the Turkish Straits in Times of War

by 

March 3, 2020

The Abuse of “Peacekeeping”

by 

March 3, 2022

Prisoners of War in Occupied Territory

by 

March 3, 2022

Combatant Privileges and Protections

by 

March 4, 2022

Siege Law

by 

March 4, 2022

Russia’s Illegal Invasion of Ukraine & the Role of International Law

by 

March 4, 2022

Russian Troops Out of Uniform and Prisoner of War Status

by  and 

March 4, 2022

On War

by 

March 5, 2022

Providing Arms and Materiel to Ukraine: Neutrality, Co-belligerency, and the Use of Force

by 

March 7, 2022

Keeping the Ukraine-Russia Jus ad Bellum and Jus in Bello Issues Separate

by 

March 7, 2022

The Other Side of Civilian Protection: The 1949 Fourth Geneva Convention

by 

March 7, 2022

Special Forces, Unprivileged Belligerency, and the War in the Shadows

by 

March 8, 2022

Accountability and Ukraine: Hurdles to Prosecuting War Crimes and Aggression

by 

March 9, 2022

Remarks on the Law Relating to the Use of Force in the Ukraine Conflict

by 

March 9, 2022

Consistency and Change in Russian Approaches to International Law

by 

March 9, 2022

The Fog of War, Civilian Resistance, and the Soft Underbelly of Unprivileged Belligerency

by 

March 10, 2022

Common Article 1 and the Conflict in Ukraine

by 

March 10, 2022

Levée en Masse in Ukraine: Applications, Implications, and Open Questions

by  and 

March 11, 2022

The Attack at the Zaporizhzhia Nuclear Plant and Additional Protocol I

by 

March 13, 2022

The Russia-Ukraine War and the Space Domain

by 

March 14, 2022

Fact-finding in Ukraine: Can Anything Be Learned from Yemen?

by 

March 14, 2022

Status of Foreign Fighters in the Ukrainian Legion

by  and 

March 15, 2022

Law Applicable to Persons Fleeing Armed Conflicts

by 

March 15, 2022

Ukraine’s Legal Counterattack

by 

March 17, 2022

The ICJ’s Provisional Measures Order: Unprecedented

by 

March 17, 2022

Displacement from Conflict: Old Realities, New Protections?

by 

March 17, 2022

A No-Fly Zone Over Ukraine and International Law

by 

March 18, 2022

Time for a New War Crimes Commission?

by 

March 18, 2022

Portending Genocide in Ukraine?

by 

March 21, 2022

Are Mercenaries in Ukraine?

by 

March 21, 2022

Abducting Dissent: Kidnapping Public Officials in Occupied Ukraine

by 

March 22, 2022

Are Thermobaric Weapons Unlawful?

by 

March 23, 2022

A Ukraine No-Fly Zone: Further Thoughts on the Law and Policy

by 

March 23, 2022

The War at Sea: Is There a Naval Blockade in the Sea of Azov?

by 

March 24, 2022

Deportation of Ukrainian Civilians to Russia: The Legal Framework

by 

March 24, 2022

Weaponizing Food

by 

March 28, 2022

Command Responsibility and the Ukraine Conflict

by 

March 30, 2022

The Siren Song of Universal Jurisdiction: A Cautionary Note

byand 

April 1, 2022

A War Crimes Primer on the Ukraine-Russia Conflict

by and 

April 4, 2022

Russian Booby-traps and the Ukraine Conflict

by 

April 5, 2022

The Ukraine Conflict, Smart Phones, and the LOAC of Takings

by 

April 7, 2022

War Crimes against Children

by 

April 8, 2022

Weaponizing Civilians: Human Shields in Ukraine

by 

April 11, 2022

Unprecedented Environmental Risks

by 

April 12, 2022

Maritime Exclusion Zones in Armed Conflicts

by 

April 12, 2022

Ukraine’s Levée en Masse and the Obligation to Ensure Respect for LOAC

by 

April 14, 2022

Cultural Property Protection in the Ukraine Conflict

by 

April 14, 2022

Results of a First Enquiry into Violations of International Humanitarian Law in Ukraine

by 

April 14, 2022

Comprehensive Justice and Accountability in Ukraine

by 

April 15, 2022

Maritime Neutrality in the Russia-Ukraine Conflict

by 

April 18, 2022

Cyber Neutrality, Cyber Recruitment, and Cyber Assistance to Ukraine

by 

April 19, 2022

Defiance of Russia’s Demand to Surrender and Combatant Status

by  and 

April 22, 2022

The Montreux Convention and Turkey’s Impact on Black Sea Operations

by  and 

April 25, 2022

Lawful Use of Nuclear Weapons

by  and 

April 26, 2022

Litigating Russia’s Invasion of Ukraine

by

April 27, 2022