Prosecutors at the International Criminal Court (ICC) are investigating alleged Russian cyberattacks on Ukrainian civilian infrastructure as possible war crimes, four sources familiar with the case told Reuters on Friday, June 14.

It is the first confirmation that attacks in cyberspace are being investigated by international prosecutors, which could lead to arrest warrants if enough evidence is gathered.

According to one of the officials, the probe is examining attacks on infrastructure that endangered lives by disrupting power and water supplies, cutting connections to emergency responders or knocking out mobile data services that transmit air raid warnings.

ICC prosecutors are working alongside Ukrainian teams to investigate "cyberattacks committed from the beginning of the full-scale invasion" in February 2022, said the official, who declined to be named because the probe is not finished.

Two other sources close to the ICC prosecutor's office confirmed they were looking into cyberattacks in Ukraine and said they could go back as far as 2015, the year after Russia's seizure and unilateral annexation of the Crimean Peninsula from Ukraine.

At least four major attacks on energy infrastructure are being examined, two sources with knowledge of the investigation told Reuters.

A senior source said one group of Russian hackers in the ICC's crosshairs is known in cybersecurity research circles as Sandworm, and is believed by Ukrainian officials and cyber experts to be linked to Russian military intelligence.

A team at the Human Rights Center, UC Berkeley School of Law, has been investigating Sandworm's cyberattacks targeting Ukrainian civilian infrastructure since 2021, and made confidential submissions to the ICC in 2022 and 2023 identifying five cyberattacks it said could be charged as war crimes.

Sandworm is suspected of a string of high-profile attacks, including a successful 2015 attack on a power grid in western Ukraine – one of the first of its kind, according to cybersecurity researchers.

A group of activist hackers calling themselves Solntsepyok ("hot spot") claimed responsibility for a major attack on the Ukrainian mobile telecommunications provider Kyivstar last December 12. Ukrainian security services identified that group as a front for Sandworm.

Sandworm is also believed by Kyiv to have carried out extensive cyberespionage against Western governments on behalf of Russia's intelligence agencies.

The body of international law covering armed conflict, enshrined in the Geneva Conventions, bans attacks on civilian objects, but there is no universally accepted definition of what constitutes a cyber war crime.

Legal scholars in 2017 drafted a handbook called the Tallinn Manual on the application of international law to cyberwarfare and cyber operations.

But experts interviewed by Reuters say it is unclear whether data itself can be considered the "object" of an attack banned under international humanitarian law, and whether its destruction, which could be devastating for civilians, can be a war crime.

"If the court takes on this issue, that would create great clarity for us," said Professor Michael Schmitt of the University of Reading, who leads the Tallinn Manual process.

Schmitt believes that the hack of Kyivstar, owned by the Dutch company Veon, meets the criteria to be defined as a war crime.

"You always look at the foreseeable consequences of your operation. And, you know, that was a foreseeable consequence that placed human beings at risk," he said.