Ukraine cyberattacks may have Geneva Convention implications, Microsoft says

Join today’s leading executives online at the Data Summit on March 9th. Register here.

Cyberattacks targeting civilians in Ukraine “raise serious concerns under the Geneva Convention,” Microsoft president Brad Smith said in a blog post today.

“We remain especially concerned about recent cyberattacks on Ukrainian civilian digital targets, including the financial sector, agriculture sector, emergency response services, humanitarian aid efforts, and energy sector organizations and enterprises,” Smith wrote. “These attacks on civilian targets raise serious concerns under the Geneva Convention, and we have shared information with the Ukrainian government about each of them.”

As the Geneva Convention aims to protect civilians, “these attacks on civilian digital targets are very closely treading the line if not crossing it,” said Danny Lopez, CEO of cybersecurity vendor Glasswall, in an email to VentureBeat. “By targeting innocent bystanders, particularly emergency response and humanitarian aid organisations, that aren’t prepared to defend their cybersecurity infrastructure against a global power, nation-state attackers may have gone a step too far.”

The four Geneva Conventions are international treaties that define the rules of war and attempt to limit barbaric behavior during wartime. The fourth Geneva Convention is focused on treatment of civilians in war situations.

While the term “war crimes” does not appear in the convention itself, the term does appear in the Rome Statute of the International Criminal Court, Article 8, which defines “war crimes” as “grave breaches of the Geneva Conventions of 12 August 1949.” The article lists a number of acts that would constitute a violation of the Geneva Conventions, including “wilfully causing great suffering, or serious injury to body or health.” Other violations include “intentionally directing attacks against the civilian population,” according to Article 8 of the statute.

In terms of the Ukraine cyberattacks, Smith did not specify which incidents he was referring to in the blog when he mentioned cyberattacks that have raised “serious concerns under the Geneva Convention.”

Earlier in the post, however, he disclosed that Microsoft had “detected a new round of offensive and destructive cyberattacks directed against Ukraine’s digital infrastructure” on Wednesday, February 24, several hours before Russia launched its unprovoked invasion of Ukraine.

The attacks involved a new malware package, which Microsoft has dubbed FoxBlade. A separate Microsoft page, first published on February 23, says that FoxBlade is a trojan that “can use your PC for distributed denial-of-service (DDoS) attacks without your knowledge.”

Overall, in Ukraine, “these recent and ongoing cyberattacks have been precisely targeted,” Smith said, noting that the use of “indiscriminate malware technology” such as in the NotPetya attacks of 2017 has not been observed so far.

Attacks on civilians

A number of cyberattacks have impacted targets in Ukraine over the past several weeks that are not part of the country’s government or military.

Massive DDoS attacks on February 15 affected the web services of three banks in Ukraine — Privatbank, Oschadbank and Monobank — as well as military websites in the country. The U.S. and U.K. have attributed those attacks to Russia.

DDoS attacks are among the simplest attacks to launch, and Russian threat actors have been known to use them “as a distraction to hide more direct attempts to breach target systems,” said Nathan Einwechter, director of security research at cyber firm Vectra.

In terms of destructive cyberattacks, data-wiping malware was deployed last Wednesday against financial, aviation and IT services companies in Ukraine, along with the defense ministry, just ahead of Russia’s invasion, according to researchers at ESET and Symantec. That wiper has been referred to as “HermeticWiper” by some researchers.

The Washington Post and VentureBeat have reported that data-wiping malware also hit a Ukraine border control station over the weekend, forcing border agents to process refugees fleeing the country with pencil and paper and contributing to long waits for crossing into Romania.

HypaSec CEO Chris Kubecka, who was in Ukraine to assist with potential cyberattacks, and spoke with agents at the border crossing, told VentureBeat and Cybercrime Magazine that she has been attempting to obtain a sample of the malware for researchers to examine. The attack was first reported by the Washington Post.

Meanwhile, the State Service of Special Communication and Information Protection of Ukraine reported on February 25 that phishing emails with suspicious attachments have been targeting civilians. “The enemy forces aim to gain access to the electronic devices of Ukrainians to gather a large amount of information,” the agency said in a tweet.

“When there’s a level of uncertainty about something going on in the world, phishing can be one of the most effective tactics for attackers to use,” said Hank Schless, senior manager for security solutions at security vendor Lookout, in an email.

Other phishing attacks, which have targeted Ukrainian military personnel, have been blamed on “UNC1151″ by Ukraine’s Computer Emergency Response Team (CERT). The agency said the hacking group consists of officers in the defense ministry at Russian ally Belarus.

Still, even with the cyberattacks that have been launched against Ukraine, experts told the Washington Post that the attacks so far have been far less severe than many expected prior to the invasion.

In the blog post today, and in an email response to VentureBeat, Microsoft did not specify which cyberattack incidents in Ukraine may raise concerns related to the Geneva Conventions.

“The team at Microsoft is likely seeing cyberattack attempts on digital infrastructure with varying degrees of infiltration success — and was intentionally vague to encompass all of them,” Lopez said.

War crimes?

Amid the attacks in Ukraine, experts will undoubtedly provide analysis on whether international laws of armed conflict may have been violated with cyberattacks, said Tim Wade, deputy CTO at Vectra.

“While some of that analysis may be complex or nuanced, one thing is very simple – placing civilian well-being in the crosshairs of a conflict is wholly unacceptable, and must not be the vehicle under which military achievements are made,” Wade said in an email. “The Geneva Convention is explicit in its purpose to protect people not taking part in hostilities.”

Crimes against humanity and war crimes are typically defined broadly so that “anything that unduly impacts civilians in a conflict zone” can be considered a war crime, said John Bambenek, principal threat Hunter at IT and security operations firm Netenrich.

“Any intentional targeting of civilians certain is the kind of thing the Geneva Convention was meant to address,” Bambenek said in an email. “The key concerns are the significance of attacks.”

For instance, a cyberattack aiming to impede the movement of refugees would be “both alarming and stunningly inhumane,” Bambenek said.

Ultimately, although it is “clear to say that these actions are harming civilians, it is up to international law and Geneva to make the official judgment on whether it’s a war crime,” said Shmulik Yehezkel, CISO at cybersecurity firm CYE.

But regardless, “we are seeing a significant uptick in the use of cyber capabilities alongside the kinetic operation and it can be assumed that this trend will continue,” Yehezkel said.

In the Microsoft blog post, Smith wrote that “in recent days, we have provided threat intelligence and defensive suggestions to Ukrainian officials regarding attacks on a range of targets, including Ukrainian military institutions and manufacturers and several other Ukrainian government agencies.”

“This work is ongoing,” Smith said.

Originally appeared on: TheSpuzz