Following the invasion of Ukraine, activist group Anonymous organized numerous cyberattacks against the Russian Federation. The group’s “Operation Russia” redefined civilian cyberwarfare — and made plenty of headlines along the way.
Some of the attacks have exposed surprising weaknesses in Russia’s cyberdefenses:
- In February 2022, Anonymous reportedly took down more than 300 websites of Russian government agencies, banks, and state media outlets.
- The group has also claimed responsibility for hacking several Russian state TV channels and replacing the programming with pro-Ukrainian content.
- In March 2022, Anonymous reportedly hacked Russian President Vladimir Putin’s $100 million yacht, altering its callsign to “FCKPTN” and changing its target destination to “hell.”
Operation Russia is ongoing, and Anonymous has pledged to continue the attacks until Russia ceases its invasion. That prompts an important question: As effective as Anonymous has been, are their actions legal?
Cyberattacks on Russia probably violate national law, but arrests may be unlikely.
Civilian cyber attacks (or “hacktivist” attacks) are almost certainly illegal, as Anonymous members have acknowledged in public statements.
“While some of our actions may be considered illegal in the eyes of various governments, we […] see no reason any western laws should be used against our actions,” the group said in a YouTube video.
Those “western laws” include the Computer Fraud and Abuse Act (18 USC 1030), a broad statute that prohibits citizens from intentionally accessing a computer without authorization. Penalties for violations include fines and imprisonment.
But many cybersecurity researchers believe that the federal government won’t take action against anti-Russian hacktivists. Shmuel Gihon of Cyberint, a threat intelligence consultancy, told CNBC that Anonymous’s attacks have been remarkably effective — and the federal government probably isn’t rushing to stop the crowd-sourced attacks.
“A lot of the people that they’ve compromised are sponsored by the Russian government,” Gihon said. “I don’t see how these people are going to be arrested anytime soon.”
That doesn’t mean that the United States endorses cyberattacks performed by private citizens. Certain actions may compromise legitimate U.S. intelligence efforts. For example, if a private attacker disables a military system that was already infiltrated by federal intelligence teams, the U.S. government may lose access to valuable data.
Private cyberattackers may be subject to international law.
When a private party engages in cyberwarfare, their activities are subject to the international law of armed conflict and humanitarian law. Groups like Anonymous are essentially acting in a military capacity on behalf of Ukraine.
By engaging in cyber operations, private actors become legitimate targets for Russian counter offensives. In other words, international law would allow Russia to launch a cyberattack against the attackers — regardless of whether their home country is neutral.
And if a country fails to prevent private cyberattacks, its neutrality can come into question. Of course, that’s less of a concern in the current conflict — the United States is hardly neutral in its support of Ukraine — but nations may need to think about how they handle private cyberwarfare in the future.
Ultimately, many of Anonymous’s actions are illegal under U.S. national law and international law. However, enforcement is unlikely, provided that the group continues to choose legitimate targets — and as long as they don’t interfere with the federal government’s cyberintelligence efforts.