Editor’s note: This article is the sixth installment of our Values in Foreign Policy Symposium.
“This is only a small part of this story.” In late March 2023, InformNapalm reported that the Ukrainian Cyber Resistance – a hacktivist organization with links to the Ukrainian government – had successfully breached and monitored the email account of Russian Air Force Colonel, Atroshchenko Sergey (Serhii) Valeriyovych. In addition to collating information from the colonel’s emails, the hacktivists posed as a Russian officer from the 960th Assault Aviation Regiment (headed by Atroshchenko) and initiated a conversation with Atroshchenko’s wife. For brevity, call this example Email Wives.
Via a series of emails, the hacktivists convinced the colonel’s wife to organise a “surprise” “Patriotic Photoshoot.” The photoshoot featured headshots of twelve wives wearing their Russian officer husbands’ dress uniforms – ranks and medals in clear view. It also included pictures of Russian jets painted with the symbol ‘Z’, a signal of support for the war in Ukraine. Using open-source intelligence – including photographs from the regiment’s New Year’s party – Ukrainian hacktivists were able to ascertain the identity of the Russian pilots.
Crucially, the colonel targeted was not just any Russian officer. Atroshchenko is an alleged war criminal, accused of ordering the indiscriminate targeting of a children’s hospital, art school, and “civilian-packed theatre in the city of Mariupol” in the first month of the unjust invasion. As part of the attack, approximately 600 people died – including minors. Such war crimes triggered calls for prosecution at the International Criminal Court.
According to the English comments responding to the covert cyber-enabled influence operation retweeted by Ariana Gic (with 38,600 Twitter followers), the hacking operation was widely celebrated. Fred Hoffman – a self-professed “Lifelong HUMINTer” and Professor of Intelligence Studies (with over 20,000 Twitter followers) – replied: “This is outstanding. I will go to sleep with a smile on my face now.” Other Twitter users commented: “Well Played.”, “This is awesome.”, “My God that is brilliant!!”, and “Ukrainian Ingenuity [sic] knows no bounds”. InformNapalm decided “not publish the entire dump for the time being”. The hacktivists instead chose to keep secret from Russia the extent of the leak and, therefore, exactly how much Ukraine now knows about the 960th regiment.
At face value, the operation was a successful, and mildly amusing, 21st century example of tricking the enemy. Of course, deception in war is as old as war itself (mentioned by Sun Tzu as far back as the 5th century BCE). And ruses are, of course, legal in war (though perfidy – feigning to be a protected person in war, such as a member of the Red Cross or hors de combat, is not – and espionage is murkier still). During World War II (WWII), the Allies waged Operation Fortitude: a sophisticated deception campaign that employed fake tanks and airplanes, fabricated radio chatter, and decoys that convinced the Nazis that the D-Day landing would not take place at Normandy, but at Pas-de-Calais. In the on-going Ukraine-Russian conflict, Ukraine deceived Russia into depleting its cruise missile stocks by using wooden decoys mimicking U.S. rocket systems. Russian soldiers in Ukraine were also tricked into sharing their location after Ukrainian hackers created “honey pot” profiles of women on social media. But all these operations clearly targeted morally liable combatants in war: the decision-making political elites in the Third Reich (and the Nazi combatants fighting the war of aggression) and Russian soldiers discharging Vladimir Putin’s unjust invasion.
But Email Wives forewarns a development in war-time deception in two ways. First, the avenue through which such manipulation and covert influence was operationalized was not via traditional human intelligence (HUMINT) operations, but cyberspace. Unlike the (often) steep costs, risks, and harms tantamount with HUMINT operations, cyber intelligence (CYBINT) operations are relatively quick and easy. As such, it is reasonable to expect an increased rate of cyber deceit in war, with covert cyber influence operations able to target more individuals more efficiently and at a lower entry-point (relative to HUMINT). Second, the intended target for manipulation was not the regime or the military personnel, but the wives of the Russian pilots. These two features of such cyber deception – as per Email Wives – point to ethical questions, and policy implications, for the conduct of 21st century (cyber) wars.
The Russian language post from InformNapalm reads: “Hacking of the Russian war criminal, commander of military unit 75387, 960th assault aviation regiment of the Russian Federation, Colonel Serhii Atroshchenko. The aviation regiment of which is stationed at the airfield on the outskirts of the city of Primorsko-Akhtarsk. An exclusive publication based on the results of our joint work was published on the website of our friends from the international intelligence community InformNapalm. Intelligence volunteers investigated the dumps and conducted reconnaissance using OSINT techniques” (Source: Telegram).
Benefits of Cyber Deception
Email Wives constitutes a move beyond strictly CYBINT operations – that is, breaching secure networks and gathering evidence or data via cyberspace. The hackers did conduct traditional CYBINT operations by closely monitoring the colonel’s email activity: the Ukrainian Cyber Resistance obtained the colonel’s home location, date of birth, phone number, government documents, troop movements, data on Russian military equipment, and even his COVID-19 vaccination status. Email Wives also did not involve manipulating the code within the network infrastructure itself being manipulated such that the system malfunctions – what Cécile Fabre regards as cyber sabotage (as per Stuxnet). Rather, the Ukrainian Cyber Resistance manipulated the human beings receiving the fabricated emails, encouraging them to act in ways they would not otherwise. In short, the Russian airmen’s wives were doxed: they unwittingly provided highly sensitive data about their husbands as a result of the fabricated emails.
To be sure, covert influence operations have long been employed by warring parties. Yet there are ostensible benefits for this kind of cyber deceit over that of traditional HUMINT operations. First, this kind of operation is relatively harmless. It did not place the partners of Russian pilots in imminent physical danger. (This is assuming that there has been no severe punitive action launched by the Kremlin upon suspecting that the wives knew the ‘Patriotic Photoshoot’ would subvert the war effort.) The cyber manipulation operation did not physically endanger the military wives (or their families), as HUMINT operations might.
Second, the cyber operation was comparatively quick. There was no significant time investment: a series of email correspondences emanating from “secure” Russian emails sufficed. Perhaps a longer-term communication with the Russian colonel’s wife may have been fruitful in yielding on-going intelligence via manipulation or blackmail. However, the kind of expediency of the cyber operation in war is surely a benefit – at least in terms of gaining the identity of those pilots involved in the bombing of Mariupol.
Third, and similarly Email Wives was relatively low stakes. HUMINT operations often play a notoriously long-game. The operative in the field must 1) seemingly serendipitously meet the wife, or come to know the wife through unsuspecting means, and 2) build trust over weeks and months, if not years, to be successful. Duping someone through cyberspace is comparatively less damaging than building a relationship with an individual and then (perhaps devastatingly) betray that confidence.
Fourth, again compared to HUMINT, the cyber operation was presumably inexpensive. It was certainly unlikely to cost close to HUMINT operations that involve training the operative, planting the operative, setting the operative up with a plausible backstory, covert communication technology, an escape route, and so on.
Fifth, and finally, Email Wives was a safe operation for the Ukrainian Cyber Resistance operatives themselves. Conducting the mission at a safe, unknown distance, behind screens and keyboards, the Cyber Resistance fighters of the war-effort are afforded a large degree of anonymity and physical protection (again, relative to HUMINT).
Given these purported benefits, such cyber manipulation operations seem ideal compared to lengthy, expensive, and risky HUMINT missions in war. In light of such undertakings being further away from the battlefield (with hackers operating in safe spaces) and being less costly, time-intensive, and harmful, it is reasonable to expect an uptick in such operations.
Nonetheless, there are important questions pertinent to ethics of war that arise from covert cyber-enabled manipulation operations like Email Wives. Notably: Are the spouses of Russian Air Force members legitimate targets for cyber deception?
Cyber Targeting of Military Spouses in War
Of course, being married to military personnel does not render partners legitimate military targets, and so the wives would not constitute combatants liable to intentional physical attacks. But could it be ethically permissible (or even required) to target such civilians through cyber deception? In other words: are wives of military members afforded protection from traditional, kinetic military operations (including cyber operations that result in kinetic effects), but not covert cyber-enabled influence operations? Do such relationships with Russian military members implicate wives in the conduct of war enough to warrant this kind of (minimal) cyber interference? There is little doubt of Atroshchenko’s moral liability to kinetic attacks and cyber attacks. He is a high-ranking combatant, waging an illegal and unjust invasion, and has been accused of perpetrating war crimes. But his wife? And the wives of the other Russian pilots? While a parallel may be made with traditional wire-tapping private phone calls, this operation moves beyond merely information gathering and into the space of actively manipulating family members in war as per covert influence operations.
Literature on the ethics of covert influence has highlighted the moral wrongs of manipulation. For instance, Charles R. Beitz writes that the “distinctive evil of manipulation derives from the fact that by attempting to hide the exercise of power… [it] enlist[s] a person’s capacity for self-determination in the service of goals which are not, or not necessarily, the person’s own.” Essentially, covert influence and manipulation undermines the individual’s autonomy and agency – something which is typically considered a priori morally abhorrent. Despite this, covert action and what the Russians call ‘active measures’ (aktivnyye meropriyatiya) has also been a long-standing feature in competition and conflict, including (or perhaps especially) against average citizens.
Partners might be ethically subjected to the chicanery and manipulation featured in Email Wives because they (unlike their children, for instance) know full-well that their spouses are military members and are ostensibly consenting to supporting such a career by remaining with their partner. Further still, the Russian women are married to military personnel who are fighting on the ‘unjust’ side in war (which, according to Just War revisionists, has important implications regarding the moral status of combatants). Yet, the partners’ knowledge of the particular operation against Mariupol is more difficult to confirm, due to security requirements that would likely prohibit their partners from discussing individual missions. It is not clear the military wives and girlfriends were aware their partners were following orders that amounted to war crimes.
More disconcertingly is that InformNapalm – the “International Volunteer Community” – released intimate photos of Atroshchenko’s wife in lingerie. Lilia Aleksandrovna Atroshchenko would send “photo surprises” to her husband. Under the subheading “Acquaintance with Atroshchenko’s wife,” InformNapalm included “more or less decent photos” with Lilia Atroshchenko posed on a couch in very little clothing. The hackers implied they had even more personal (read: explicit) photos of Lilia they could disclose.
Obtaining such intelligence is one thing; disseminating such photos – a violation of Lilia Atroshchenko’s privacy (not her husband’s) – is another. Are wives (and partners) in war ethically liable to having such images of themselves posted online without consent? Was posting of some photos of Lilia (and the note that these were the more “decent” photos the hackers had obtained) intended to serve as blackmail or ‘sextortion’ to coerce Atroshchenko to (potentially) pass along additional sensitive information to bulwark against more photos being uploaded? Might this be morally acceptable? Or is this a somewhat warped form of ‘revenge porn’ of military members’ spouses that might be morally permitted in conflict? There may be a parallel here with the physical printing and showcasing of intimate photos à la HUMINT. However, the posting of Lilia’s photos online allows for greater reach via the initial website and it is easier to download the photo and repost across different websites. What we post may not be “digitally permanent” (once it’s online, it is there forever), but it is more difficult to windback.
Further, the cyber operation itself placed the wives in little danger (relative to HUMINT operations). However, they would have likely experienced extreme humiliation upon realizing they had been played. For Atroshchenko’s wife, the non-consensual uploading of pictures intended for her husband’s eyes only would also conceivably prompt feelings of ignominy. Further, as mentioned earlier, the wives may also face intense interrogation by the Russian Security Service (the FSB), potentially being accused of intentionally disclosing sensitive information pertaining to their husbands. Hopefully, none of the wives succumb to the bizarre “accidents,” “illness,” and “murder-suicides” that have befallen businessmen in Russia since the February 2022 invasion. Moreover – now that InformNapalm has publicly disclosed the colonel’s home address, and his wife’s phone number, email, passport number, and telephone numbers – others in the Russian community may seek retribution. Indeed, one Twitter user commenting on the operation alluded to this: “Thoughts and prayers, every time she [Lilia] walks past a window”. (Lilia Atroshchenko also had her email account hacked, and it is unclear what the hacktivists found there).
Should the disclosure of such intelligence actually facilitate the (lethal) targeting of their husbands, the women would likely be susceptible to “moral injury.” Moral injury is the extreme amount of guilt and shame arising from perpetrating an act (or failing to prevent an act) that the individual perceives to be morally impermissible – for instance, providing information that had a hand in facilitating the demise of their loved ones.
To be clear, an argument could, and perhaps should, be made that this level of harm experienced by civilians married to war criminals is proportionate to the ends being achieved. The harm felt by military spouses – otherwise hitherto protected from military operations – is proportional to the ends being sought. Even if spouses are not morally liable to be intentionally targeted, the operation may still satisfy what Jeff McMahan refers to as wide proportionality: that is, the moral goods resulting from harming non-liable persons (in this case, the Russian wives) overrides that person’s moral right not to be harmed. This is opposed to McMahan’s concept of narrow proportionality, which refers to the harm morally liable persons, such as Russian pilots in war, may permissibly experience. Cyber manipulation of this kind may simply be a low-stakes case of collateral damage and/or doctrine of double effect within just war theory deliberations.
Email Wives prompts a further question requiring philosophical deliberation: If we are permissibly extending the purview of targeting, who else might be a legitimate person for such cyber manipulation operations in war? During the Vietnam war, the United States dropped billions of leaflets; some intentionally appealed to children, requesting information on Vietcong weapons in exchange for monetary prizes. Arguments against targeting military members’ under-age children might be made because – as minors – they lack autonomy and agency relative to wives. But what of military member’s adult children, or their (elderly, and perhaps less cyber savvy) parents?
Though somewhat humorous, Email Wives epitomises the blurring of the lines between those who may be ethically susceptible for subterfuge in the Russia-Ukraine conflict and how (notably, via cyberspace), thereby blurring the “front line” with the “home front.” Of course, for Ukrainians, the front line is the home front. And their experiences are far worse than that of the Russian Air Force members’ wives. Should the targeting and manipulation of spouses of war be deemed ethically permissible – even required – then the United States (and Ukraine) needs to prepare military spouses and families that they, too, may be targeted via cyberspace.
Preparing Military Families for Cyber Deception Campaigns
To reiterate, Email Wives is hardly the first – or the last – time states at war will attempt to deceive their adversaries. As the world’s second oldest professions, spies have long sought to infiltrate and influence family members of military personnel in war. Indeed, allied propaganda posters during World War II, such as “Loose Lips Sink Ships” aimed to discourage the broader civilian population, including family members, from refraining from discussing potentially sensitive topics in public.
But cyber manipulation campaigns like Email Wives represent a simpler, cheaper, quicker, and potentially safer means of tricking the enemy compared to traditional HUMINT operations. As such, cyber manipulation will likely be used more frequently to target civilians in war. With the advent of ChatGTP, some are warning that online scams are going to become even more efficacious and widespread, especially as AI systems become “more human than human” and mimic human behaviours in a bid to gain trust.
The question remains: Are military family members legitimate targets for cyber manipulation operations in contemporary conflicts?
If the answer is yes, then states committed to upholding the liberal democratic order must be prepared to accept that their own military members’ spouses, siblings, parents, or children similarly may be deceived and humiliated online.
Greater attention must be afforded to adequately preparing military relatives for targeted cyber deception campaigns. Spouses are already primed not to post sensitive information pertaining to their partners on social media. But what is required is a mandatory threat assessment training regarding offensive, covert cyber operations for (what militaries call) “dependents” to bulwark against operations like Email Wives. After all, should such campaigns be considered ethically acceptable or even celebrated in war, then we must be wary of what this means for service member families back home.
Of course, the cyber front of the conflict has its clear benefits: collating information, influencing adversaries, and – ideally – “identify[ing] and bring[ing] Russian war criminals to justice.” Such cyber manipulations operations are expected to increase as the war rages on into its second brutal year. But if these operations are widely regarded as morally permissible, or even desirable, then military families everywhere are fair game. The United States and its allies should prepare them for what comes next.