ICC Confirms Recent Cyberattack Was Espionage

surveillance, spyware, hacking

Not a random cyberattack. International Criminal Court confirms September cyberattack was case of “sophisticated espionage”

The International Criminal Court (ICC) in the Hague has admitted that its “cybersecurity incident” five weeks ago, was actually a case of espionage.

In September the ICC had admitted that it had been hacked, which immediately prompted concern due to the sensitive nature of the work it conducts – which could potentially include information about any of its war crime investigations, witness names and other confidential data.

For example in March this year the ICC issued arrest warrants for Vladimir Putin, the President of Russia, and Maria Lvova-Belova, Russian Commissioner for Children’s Rights.



Espionage attempt

The warrant against Putin was the first time an international arrest warrant had been issued against the leader of a permanent member of the United Nations Security Council.

Both are accused of the war crime of unlawful deportation and transfer of children during Russia’s illegal invasion of Ukraine.

Moscow has rejected the accusations and the court’s jurisdiction.

Now the ICC has confirmed that the “evidence available thus far indicates a targeted and sophisticated attack with the objective of espionage. The attack can therefore be interpreted as a serious attempt to undermine the Court’s mandate.”

The ICC said that with the support of the Netherlands (its Host State, and external cyber security experts), it has conducted a forensic analysis of the incident, its causes and its impact, and initial mitigating measures.

The ICC said that based on the forensic analysis carried out, the Court has already taken and will continue to take all necessary steps to address any compromise to data belonging to individuals, organisations and States.

“Should evidence be found that specific data entrusted to the Court has been compromised, those affected would be contacted immediately and directly by the Court,” the ICC said.

“For the Court, the safety of its data and maintaining trust with all of its stakeholders are paramount.”

It said that with the information currently available, it is not presently possible for the Court to confirm who is responsible for the attack.

The Dutch law enforcement authorities are currently conducting a criminal investigation.

Steps taken

As a result of the attack, the Court said it is reinforcing its risk management framework and identifying actions and procedures to be ready to respond to any potential repercussions from the cyber-attack including any potential security risk to victims and witnesses, Court officials and the Court’s operations.

As part of broader assessment into potential actions by threat actors, the Court said it has also identified that disinformation campaigns targeting the ICC and its officials may be anticipated to be launched in an effort to tarnish the ICC image and delegitimise its activities.

The Court is also accelerating a number of existing initiatives aimed at enhancing digital security.

The ICC noted that this latest attack comes at the time of broader and heightened security concerns for the Court. For example it said that:

  • Several elected officials, including Judges of the Court and the Prosecutor, have had criminal proceedings initiated against them (the officials impacted are investigating war crimes in Ukraine);
  • The Court has recently undergone daily and persistent attempts to attack and disrupt its systems;
  • The Court averted an almost successful attempt to infiltrate a hostile intelligence officer into the Court under the guise of an intern.

Data concern

The confirmation from the International Criminal Court that its hack was actually an espionage attempt, but that it has no evidence to suggest data was compromised, has prompted a response from William Wright, CEO of Closed Door Security.

“Given the information held by the ICC, this was never just a chance attack,” said Wright of Closed Door Security. “It was more likely planned by a nation state actor that knew exactly what they wanted and how to get it. We therefore shouldn’t take the statements too seriously that there is no evidence of data being compromised.”

“Whether data was exfiltrated, or simply viewed, some sophisticated nation-state adversaries can enter and exit systems without leaving a trace,” said Wright. “This means we may not understand the full extent of this attack until the criminals make it public or use it against the ICC.”

“This attack is another clear reminder that as cyber space becomes the playing field for all forms of criminals, organisations must improve their cyber defences,” said Wright.

“It’s not clear how criminals initially breached the ICC’s network, but the attack would most likely have been executed via phishing or by exploiting an unpatched vulnerability,” Wright concluded. “Prioritising security against these attack vectors is essential. This involves training employees frequently on security threats, while also keeping up to date with patch cycles and running pen tests on networks to unearth unknown weaknesses.”