THE HAGUE/LONDON -Prosecutors at the International Criminal Court are investigating alleged Russian cyber attacks on Ukrainian civilian infrastructure as possible war crimes, four sources familiar with the case have told Reuters.

It is the first confirmation that attacks in cyberspace are being investigated by international prosecutors, which could lead to arrest warrants if enough evidence is gathered.

The probe is examining attacks on infrastructure that endangered lives by disrupting power and water supplies, cutting connections to emergency responders or knocking out mobile data services that transmit air raid warnings, one official said.

ICC prosecutors are working alongside Ukrainian teams to investigate “cyber attacks committed from the beginning of the full-scale invasion” in February 2022, said the official, who declined to be named because the probe is not finished.

Two other sources close to the ICC prosecutor’s office confirmed they were looking into cybe rattacks in Ukraine and said they could go back as far as 2015, the year after Russia’s seizure and unilateral annexation of the Crimean Peninsula from Ukraine.

Moscow has previously denied that it carries out cyber attacks, and officials have cast such accusations as attempts to incite anti-Russian sentiment.

Ukraine is collecting evidence to support the ICC prosecutor’s investigation.

The ICC prosecutor’s office declined to comment on Friday, but has previously said it has jurisdiction to investigate cybercrimes. It has also said it cannot comment on matters related to ongoing investigations.

The court has issued four arrest warrants against senior Russian suspects since the beginning of the invasion. These include President Vladimir Putin, suspected of a war crime over the deportation of Ukrainian children to Russia.

Russia, which is not a member of the ICC, dismissed that decision as “null and void”. Ukraine is also not a member, but has granted the ICC jurisdiction to prosecute crimes committed on its territory.

In April, a pre-trial chamber issued arrest warrants alleging that two Russian commanders had committed crimes against humanity with strikes against civilian infrastructure. The Russian defense ministry did not respond to a request for comment at the time.

At least four major attacks on energy infrastructure are being examined, two sources with knowledge of the investigation told Reuters.

A senior source said one group of Russian hackers in the ICC’s crosshairs is known in cyber security research circles as “Sandworm”, and is believed by Ukrainian officials and cyber experts to be linked to Russian military intelligence.

A team at the Human Rights Center, UC Berkeley School of Law, has been investigating Sandworm’s cyber attacks targeting Ukrainian civilian infrastructure since 2021, and made confidential submissions to the ICC in 2022 and 2023 identifying five cyber attacks it said could be charged as war crimes.

Sandworm is suspected of a string of high-profile attacks, including a successful 2015 attack on a power grid in western Ukraine – one of the first of its kind, according to cybersecurity researchers.

A group of activist hackers calling themselves “Solntsepyok” (“hot spot”) claimed responsibility for a major attack on the Ukrainian mobile telecommunications provider Kyivstar last Dec. 12. Ukrainian security services identified that group as a front for Sandworm.

Sandworm is also believed by Kyiv to have carried out extensive cyber espionage against Western governments on behalf of Russia’s intelligence agencies.

Cyber attacks that target industrial control systems, the technology that underpins much of the world’s industrial infrastructure, are rare, but Russia is one of a small club of nations that possess the means to do so, the cyber security researchers said.

The ICC case, which could set a precedent for international law, is being closely followed.

The body of international law covering armed conflict, enshrined in the Geneva Conventions, bans attacks on civilian objects, but there is no universally accepted definition of what constitutes a cyber war crime.

Legal scholars in 2017 drafted a handbook called the Tallinn Manual on the application of international law to cyberwarfare and cyber operations.

But experts interviewed by Reuters say it is unclear whether data itself can be considered the “object” of an attack banned under international humanitarian law, and whether its destruction, which could be devastating for civilians, can be a war crime.

“If the court takes on this issue, that would create great clarity for us,” said Professor Michael Schmitt of the University of Reading, who leads the Tallinn Manual process.

Schmitt believes that the hack of Kyivstar, owned by the Dutch company Veon, meets the criteria to be defined as a war crime.

“You always look at the foreseeable consequences of your operation. And, you know, that was a foreseeable consequence that placed human beings at risk.”

Ukraine’s intelligence agency said it had provided details of the incident to ICC investigators in The Hague. Kyivstar said it was analysing the attack in partnership with international suppliers and the SBU, Ukraine’s intelligence agency.