Article written by Mark Bruno - October 2023
In April 2018, four men were arrested outside of the Organization for the Prohibition of Chemical Weapons (OPCW) headquarters in The Hague. They were initially spotted by security for conspicuously taking photos from the parking lot of a Marriott hotel next to the OPCW building. All four men were arrested after it was found that the Dutch military intelligence service (MIVD) had been tracking them for several days, and identified them as four agents of Russia’s GRU Unit 26165 (Cyber Operations). Investigators later found that the agents’ rental car was loaded with thousands of dollars in signals equipment for monitoring and possibly attacking the OPCW’s network. During the attempted intrusion, the OPCW was examining a chemical weapons assault on ex-Russian spy Sergei Skripal and his daughter in Salisbury, UK.
Attacks like this may seem like something from the imagination of Tom Clancy, but this was only one of several times that Russian threat actors have attempted to obfuscate various war crime investigations, utilizing a mix of Cyber and Information Warfare tactics. While the April 2018 incident was unique in its brazenness, it was one of several more traditional attacks.
The Intersection of Cyber, Information, and Hybrid Warfare
Russia's information operations against international judicial bodies like the OPCW and ICC highlight a concerning trend of utilizing cyber and information warfare to obstruct war crimes investigations. These events not only undermine the credibility and functioning of these international institutions but also hinders the global pursuit of justice for victims of war crimes.
The infiltration of Russian threat actors into the OPCW plays into the modern frameworks of Cyber, Information, and Hybrid Warfare. While the objective seems simple–a state actor doesn’t want to be implicated in War Crimes– it’s important to understand the distinctions between terms that often get conflated: Cyberwarfare, Information Warfare, and Hybrid Warfare. All of them refer to something distinct, and yet can describe the same operation in many cases.
Specifically, Cyberwarfare refers to the use of digital techniques to attack an adversary's computer systems, networks, and digital infrastructure. This is typically what’s being referred to when a situation involves hacking or network penetration. The overall purpose is to disrupt, destroy, or gain unauthorized access to computer systems and data.
Information Warfare is about using information (or misinformation) to gain an advantage over an adversary. It's about shaping perceptions and beliefs to influence a population or decision making process. There is a lot of crossover with Information Warfare and what is typically called “Psychological Operations (psyops)”, and one may find the terms used interchangeably in some articles, though it’s not necessarily accurate. It does this through altering perception of events with propaganda, deception, and manipulating the framing of information gathered through intelligence operations.
Hybrid Warfare is a blend of conventional and unconventional warfare tactics, which may include elements of Cyberwarfare, Information Warfare, and traditional military operations. The targets of Hybrid Warfare are wide-ranging, from public opinion to physical infrastructure, to political systems. It utilizes a combination of cyber attacks, misinformation campaigns, guerrilla warfare, economic pressure, and more. This is generally done to achieve strategic objectives by blurring the lines between different forms of warfare and using the most effective tools available.
Dangers To Investigators And Value To The Threat Actor
What would a country in Russia’s position seek to gain from infiltrating the OPCW? What threat do attacks like this really pose to the work of international organizations such as the International Criminal Court, Human Rights Watch, or the Genocide Network? While the investigations into cyber operations can be drawn out, the goals of a threat actor can often be easily ascertained.
An obvious danger is evidence tampering. Infiltrating digital systems where evidentiary data is stored or transferred, threat actors could alter or delete crucial evidence, making it difficult to substantiate claims of war crimes.
Concealing the identities of perpetrators is another objective. A threat actor can obscure the identities of those involved in war crimes, ensuring a degree of impunity for those accused of war crimes.
Threat actors can also bypass unauthorized systems and acquire sensitive information, including the identities of witnesses, investigators, or other key personnel. Such attacks can be used to intimidate or retaliate against individuals, organizations, or states involved in investigating or prosecuting war crimes, potentially dissuading further inquiry or action.
A final danger of cyber operations is that they can allow for wholesale cover ups and a lack of confidence in accusations of weapons or tactics generally shunned by the international community.
MH17 Plane Crash Investigation
In 2015 and 2017, during the investigation of the downing of Malaysia Airlines Flight 17 over Ukraine, it was found that Russian hackers had attempted to disrupt proceedings by the Dutch Safety Board and the Dutch Police’s Joint Investigation team. The 2015 attempt was reportedly thwarted by the AIVD and the Dutch Safety Board, and attributed to the now-infamous Fancy Bear hacking group that has, in the years since, been firmly linked to Russia’s GRU. This was done by mimicking an email server hoping to use it to collect the credentials of the Safety Board members and enabling access to the inspection team’s files. From here, any amount of data could have been destroyed and findings manipulated. In 2017, a similar attempt was made, targeting the Dutch Police’s Joint Investigation Team, which was trusted with prosecuting the incident. Attribution in this instance pointed to Cozy Bear, a Russian SVR or FSB-linked hacking group.
In The Context Of Russia’s Full-Scale Invasion
Last year, the AIVD noted that the ICC may be a target of interest for Russia, as it was at the time (and still is) investigating alleged Russian war crimes in Georgia and Ukraine. As if to give credence to the warning, the following June, the AIVD revealed the discovery of a Russian military agent masquerading as a Brazilian intern with the ICC, in an attempt to infiltrate.
One year later, in an August 20th piece submitted to Digital Frontlines, ICC prosecutor Karim Khan discussed the role of the ICC as both agent and target within the landscape of hybrid warfare. Four weeks after the piece’s publication, the Hague found itself confronted with yet another breach as investigations at the International Criminal Court continue regarding crimes in Ukraine and the Central African Republic. On the 21st of September, the War Crimes Tribunal of the ICC confirmed that it had been the subject of a cyberattack, the details of which are still limited. The impact of this attack, which was largely mitigated, was mostly felt internally, as workers within the ICC were unable to access certain essential services. However, of particular concern is whether or not data was stolen, which potentially encompasses crucial evidence or the identities of protected witnesses.
On September 22nd, the day after news of this attack was announced,Yurii Shchyhol, head of the State Service of Special Communications and Information Protection of Ukraine (SSSCIP), warned that attacks like this are following a pattern his agency has highlighted in an upcoming report. On the 25th, the SSSCIP published the report, which indicated its own investigative bodies were under increasing numbers of cyberattacks. The Ukrainian government warns this was explicitly done to inhibit its own investigations into Russian war crimes in places like Bucha and Mariupol. The same day, Russia’s Ministry of Internal Affairs put the Chairman of the International Criminal Court, Peter Hofmanski, his deputy, Luz del Carmen Ibáñez Carranza, and Judge Bertram Schmitt, on its own wanted list.
Moving Forward
The various incidents outlined demonstrate that a nation-state actor, for relatively little expense and consequence, can make a strategic effort to conceal evidence, protect perpetrators, and control narratives surrounding war crimes. These actions pose significant threats not only to the integrity of investigations but also to the individuals and organizations involved in these judicial processes. They can empower further use of weapons systems that may be discouraged by international norms: for instance, the back-and-forth about Russia and Ukraine’s usage of cluster munitions has become a heated front in such a debate.
The threat of cyber warfare has led to the beginnings of expanded international cooperation in both the ICC and NATO, as well as the private sector. In light of these events, and the widespread damage cyber operations have done in Ukraine, the ICC has stated that it will begin investigating instances of cyberwarfare and crimes in cyberspace as war crimes. Much of this intelligence is gathered through private-public partnerships such as the Cyber Defense Assistance Collaborative. This is a group of various private cybersecurity firms that have offered to share valuable cyber intelligence with each other and the governments of allied nations, largely based in Europe and North America.
For several years, it has been acknowledged that there needs to be grounds for a cyber attack to trigger a NATO Article 5–the rule accepting that an attack on a member state constitutes an attack on all member states. This has been the onus for an annual NATO exercise known as “Locked Shields”, wherein teams from all member states, as well as some non-member states, conduct a joint training mission in cyberspace. As recently as 2019, however, what the alliance considered an “attack” in cyberspace and what constitutes merely a “crime” seemed vague. In this years’ NATO summit in Vilnius, however, it would seem that a consensus has been reached on this matter, but the wording of these conditions will remain classified for the time being.
The digital attacks on The Hague indicate a pressing need for stronger cybersecurity measures and international cooperation to ensure the resilience of judicial institutions against such threats. It’s crucial for the global community to acknowledge and address the evolving challenges posed by cyber and information warfare to maintain the rule of law and uphold humanitarian principles in the digital age.