File Not Found: Russia Is Hacking Evidence of Its War Crimes

Body Bags Bucha

It is often quipped that history is written by the victors. But, as the bloodshed in Ukraine drags into a third year, Russian President Vladimir Putin does not have to win his unjust war to rewrite the events of the conflict and undermine post-war justice. Russian hackers from the Federal Security Services and Main Intelligence Directorate are reportedly targeting the Ukrainian Prosecutor General’s Office, the entity responsible for documenting war crimes committed by Russian combatants on Ukrainian soil. At the same time, the International Criminal Court declared that it had been hacked, having “detected anomalous activity” in its systems. The hackers’ aim? To obtain — even delete — evidence of war crimes and help Russians arrested in Ukraine to “avoid prosecution and move them back to Russia.” Russia’s interest in meddling with the prosecution of alleged war crimes is blatant. The International Criminal Court has a current arrest warrant out for Putin himself for the forcible transferal of Ukrainian children to Russia (a violation of the genocide article of the Rome Statute). It also has ongoing investigations regarding Russian war crimes in both Ukraine and Georgia. Russia is no stranger to doctoring its official records. For example, Soviet leader Joseph Stalin famously blotted out from photographs those whom he ordered to be purged. But that was Moscow manipulating itsown records. Today, Russia is waging cyber attacks against others’ systems in order to alter evidence of its atrocities and thus subvert war crime tribunals.

Russia’s breach of the digital depositories of war crime evidence highlights two new, troubling realities of 21st-century wars. First, it is widely recognized that perpetrators are using cyberspace and social media to organize, fund, execute, and celebrate their atrocities. Indeed, Russia has consistently deployed cyber attacks as part of its unjust war against Ukraine. Some claim that such operations have had little effect and are even backfiring. Others maintain that, despite their lack of “shock and awe”, Russia’s persistent cyber attacks form a strategically valuable part of Putin’s offense. Either way, this recent revelation signals a worrying development: Perpetrators of atrocities are likely to employ offensive cyber operations to cover up their battlefield crimes. Second, war crime trials are already fraught with complexity, accusations of victors’ justice, legal exasperation, perfunctory showmanship, abortive reconciliation, and issues regarding postwar stability. Cyber operations that contaminate evidence are yet another hurdle in the broader pursuit of justice — and they will continue after the bullets stop flying.



Lies, AI, and Tainted Trials

Russia’s cyber incursions into war crime databases are alarming. If the Russian hackers can retrieve information pertinent to war criminal cases, their goal (according to the Office of the Ukrainian Prosecutor General) will be to extradite accused Russian-affiliated perpetrators to escape prosecution.

However, there is an even scarier prospect that is not being reported. If Russian hackers obtain access to sensitive evidence of war crimes, they can not only steal it, but also delete, manipulate, and supplant it with fictitious, AI-generated evidence — entirely unbeknownst to system operators. Via the application of AI, individuals can “manipulate images, video, audio and text in such a way that even the keenest observers can be deceived.” A prime example is deepfakes. There are already widespread calls around the dangers of deepfakes in war — including in the Russo-Ukrainian conflict itself (although this quickly became a notorious failure).

Less has been said about deepfakes postwar and in war crime tribunals. The hackers — once in the system — could plant false (AI-generated) images, videos, and audios that cast doubt on whether war crimes were committed by Russian combatants. Or deepfakes could make it appear as though Ukrainian forces were perpetrating war crimes: mutilation of Russian corpses, rape of Russian soldiers, or torturing Russian prisoners of war. Depending on quality and quantity, the fake photos or videos could muddy the waters about what is true and what is false. The potential damage of misleading AI-generated content — especially audio deepfakes, which may be harder to verify — is serious, and automatic deepfake detectors are still in development.

Even breaching the database without making any changes, or just the public sense that the database could hypothetically be breached (even if there is no evidence of sabotage), could raise questions about the validity of the evidence. Russian disinformation campaigns are designed to elicit public division and distrust — including when there is no viable proof of the claims being made. At the very least, hacking these systems could lead to tribunal cases being painstakingly drawn out, delaying the justice owed to victims and their families. Worse still, hacked information could lead to false accusations, acquittals, and cases being thrown out altogether due to insufficient, unclear, or tainted evidence.

Digital evidence pertinent to atrocities and violations of international humanitarian law, by any party to an armed conflict, is strictly off limits. This is especially the case given states’ duties under customary international law to investigate and prosecute violations of the laws of war, crimes against humanity, and genocide. The preservation of war crime data repositories is therefore critical to facilitate such obligations.

Of course, this does not mean that all covert cyber operations are inherently wrong. According to the U.S. Joint Chiefs of Staff Handbook on Psychological Operations, information operations that “influence, disrupt, corrupt, or usurp adversarial human and automated decision making” can be “conducted … at all levels of war”. Elsewhere, I have argued for hacking into adversaries’ networks and clandestinely tampering data resident in those systems to preventatrocities. Specifically, I suggested manipulating atrocity perpetrators’ information so that it delays their operations. This includes subtly misrouting weapons shipments, editing concentration camp blueprints (such that they cannot be properly built), or slightly altering orders in a way that does not “raise suspicion, but are sufficient to redirect, forestall, or confuse [the enemy’s] subordinates.” Further, I have suggested that cyber enabled psychological operations — like the Ukrainian hacktivists’ “Patriotic Photoshoot” campaign last year — may be morally preferable to kinetic uses of force because they are less harmful (although I also raised questions over who is a liable target in such cyber operations). Furtive hacking operations and (dis)information campaigns are an easier and quicker way to thicken the fog of war than human intelligence operations — and, as others have highlighted, ambiguity can be an asset.

Crucially, to reiterate, the cyber operations I defend are to help parry the commission of atrocity crimes — not obfuscate them. Russia, by contrast, is employing cyber operations to dodge accountability for its grave abusestorture, sexual assault, indiscriminate killing, inhumane treatment, and summary executions — of Ukrainians.

All of this is occurring against the backdrop of social media companies deleting videos and photos of potential war crimes uploaded by victims, witnesses, activists, journalists, and even the perpetrators themselves (often as “trophies”). For years, corporations like Meta, X (formerly Twitter), and YouTube have been using AI to rapidly removeposts that violate their standards regarding gratuitous, gory, and gruesome content. But they have not been archiving this evidence. Crucial content that could help hold perpetrators to account is lost.

The War After the War

The fight for justice is as important as the fight with tanks, drones, and bombs. In light of Russia’s hacks, three responses are urgently required.

First, to the best extent possible, the United States and its allies should raise awareness regarding Russia’s attempts to interfere with Ukraine’s and the International Criminal Court’s databases. As part of this, greater attention needs to be afforded to the cyber defense of specifically those digital depositories. It is of paramount importance to preserve the integrity of war crime evidence to facilitate justice for lives lost and egregious rights violations. No one — especially not the accused — can be allowed to tamper with such sensitive information.

Second, social media corporations need to improve how they balance deleting graphic content and archiving evidence. As Alexa Koenig has argued, Big Tech corporations, collaborating with humanitarian and human rights organizations, need to develop what she calls “evidence vaults” or “evidence lockers” for this reason. Despite early interest from social media companies, little progress has been made. Indeed, three months after the full-scale invasion of Ukraine in 2022, four legislators in the U.S. Congress called on the heads of TikTok, YouTube, Twitter, and Meta to preserve and archive possible evidence of war crimes in Ukraine.

This is not to say that corporations are uninvolved in protecting certain cyber infrastructures amidst the war. Far from it. For instance, very early on in the conflict, Microsoft helped Ukraine upload critical government data to the cloud. This was crucial because “the Ukrainian government still operated exclusively on servers located in major government buildings” which are “extremely vulnerable to missile attacks and their physical destruction could paralyze the entire work of the country’s top leadership.” But, as of late November last year, social media platforms have yet to establish a repository specifically for war crime evidence. Given the escalation of violent conflict in Ukraine and in Gaza, the need is even more apparent.

Third, as part of its defensive war, Ukraine should continue to proactively prevent Russian hackers from breaching its digital databases via what the United States would regard as cyber-enabled “persistent engagement,” “defending forward,” and “integrated deterrence.” Moreover, while Ukrainians did not believe Russia’s deepfake of Ukrainian President Volodymyr Zelenskyy calling for the cessation of hostilities, more should be done to develop technologies to identify deepfakes and “cheap fakes” (easily edited or manipulated videos, such by cropping footage). Additional Ukrainian public messaging could also help “inoculate” individuals from disinformation via “prebunking” (as opposed to debunking). Ukraine should also continue to consistently remind its citizens that Russian propaganda will aim to weaken public resolve to defend themselves.

Knowing that these efforts are now part of Putin’s war strategy, irrespective of whether he is victorious, means Ukraine’s own war strategy should shift. Previously, there has been a strict delineation between the collection, retention, and protection of war crime evidence and the war itself. No more. Not in cyberspace.

“Winning” a war in the 21st-century will not look the same if post-conflict justice processes are sullied with suspicion and war crimes perpetrators can evade prosecution. As Yurii Shchyhol, the head of the State Service of Special Communications and Information Protection of Ukraine put it: “You need to understand that the cyber war will not end even after Ukraine wins on the battlefield.” Given this, the United States, Ukraine, and its allies need to be prepared to defend against malicious cyber attacks after atrocities.



Rhiannon Neilsen, Ph.D. is the Cyber Security Postdoctoral Fellow at the Center for International Security and Cooperation, Stanford University. She has recently published on cyber and atrocity crimes, the Russo-Ukraine war, psychological operations, and covert cyber-operations. Previously, she was a postdoctoral fellow at the Australian National University, a research consultant for the Institute for Ethics, Law and Armed Conflict at the University of Oxford, and a visiting fellow at the NATO Cooperative Cyber Defence Centre of Excellence. 

Image: Ukrainian Interior Ministry