Russian hackers target Ukrainian government systems involved in war crimes investigations

Russia is stepping up its cyberattacks on Ukraine's law enforcement agencies in an effort to uncover what they know about war crimes committed by Russian soldiers, according to Ukrainian cybersecurity officials.

The Kremlin's recent espionage campaigns targeted Ukraine's prosecutor general's office, courts, and other entities involved in investigating war crimes, said Victor Zhora, the deputy chairman of Ukraine's cybersecurity service (SSSCIP), during a press conference on Tuesday.

He didn't mention whether any of these attacks succeeded or if any sensitive information related to war crimes investigations was exposed.

Since the war began in February 2022, Ukrainians have been collecting evidence of Russian war crimes, hoping to catch and punish those responsible. These alleged Russian war crimes include the killing of civilians, rape, taking hostages, torture, and bombing civilian infrastructure.

According to SSSCIP's latest report, Russian hackers may be trying to obtain lists of war crime suspects to help them evade prosecution and bring them back to Russia. They're also likely interested in finding out which elite soldiers and officers were captured in Ukraine, and whether they can be exchanged.

Any evidence or intelligence that can be used in criminal cases against Russian spies, individuals, and institutions could be valuable to the Kremlin, as Ukraine plans to use this information to prosecute and sanction alleged war criminals, the report said.

Earlier this month, the International Criminal Court (ICC), which investigates war crimes and crimes against humanity, stated that its computer systems had been hacked, but didn't give details on how serious the incident was, whether it was remediated, or who was responsible for it.

In September, the ICC opened a field office in Kyiv — the largest office outside its headquarters in The Hague — to investigate Russian war crimes.

In a recent article in Digital Front Lines, the ICC's top prosecutor, Karim Khan, stated that the agency plans to treat cyber incidents as potential war crimes. Russia's cyberattacks on Ukraine's critical civilian infrastructure might be among their first cases.

New approach

According to SSSCIP's report, there has been a shift in Russia’s hacking targets this year: They have moved from mainly targeting government, military, and critical infrastructure facilities to focusing on law enforcement, private businesses, and media organizations.

The hackers have also changed their strategy and the intensity of their attacks.

Although the number of cyber incidents in Ukraine has doubled this year — going from 57 per month to 128 per month — their severity has gone down. For instance, in the first half of last year, Ukraine’s computer emergency response team (CERT-UA) detected 319 critical incidents, but this year during the same period they reported only 27.

Russia has also shifted from destructive attacks to cyber espionage in response to the ongoing cyber warfare and Ukraine's counteroffensive operation, Zhora told Recorded Future News. The Kremlin is likely trying to gather information related to weapon supplies to Ukraine, international aid, logistics chains, weapons manufacturing, and military plans to gain an advantage on the battlefield.

Zhora didn't specify how successful these attempts were, but he stated that "the situation continues to be under the control of Ukraine."

The researchers also noticed that Russia is trying to target victims who have been compromised in the past. “Prior knowledge of a victim organization's network infrastructure, defensive measures, key personnel, and communication patterns provides returning attackers with a substantial advantage,” the report said.

As Ukraine braces for the winter season amid the looming threat of blackouts and escalating missile strikes, Zhora warned that Russian hackers may once again target Ukraine's vital infrastructure, including its energy facilities.

Last year, SSSCIP became one of the agencies in charge of safeguarding critical infrastructure, granting it greater authority over its cybersecurity defenses. "Hopefully, we will be more prepared," Zhora said.