Legal Qualification of Cyberattacks on Ukraine’s Information and Communication Systems
Article 361 of the Criminal Code of Ukraine (CCU) establishes criminal liability for unauthorized interference with the operation of computers, automated systems, computer networks, or communication networks if it leads to leakage, loss, falsification of information, or disruption of system operations. In the context of full-scale aggression, this article is the primary instrument for holding accountable those responsible for large-scale cyberattacks targeting critical infrastructure (energy systems, banks, transport) and Ukrainian state authorities.
Key Provisions of Article 361 (CCU)
- Part 1 (Basic Offense): Unauthorized interference (Punishment: Fine or restriction of liberty up to 3 years).
- Part 2 (Qualified Offense): Repeated acts, committed by prior conspiracy of a group, or causing significant damage (Punishment: Imprisonment from 3 to 6 years).
- Part 3 (Severe Offense): Committed by an organized group, or causing severe consequences (Punishment: Imprisonment from 6 to 10 years).
Cyberwarfare and Critical Infrastructure: Cyberattacks conducted by hacker groups linked to Russian intelligence services (GRU, FSB, SVR) often employ wiper attacks and DDoS attacks to disrupt government registries, banking, and energy systems. Real examples include NotPetya virus attacks aimed at Ukrainian banking systems in 2017–2022, and attempts to block government portals from 2022–2025. Such acts are always qualified under Part 3 of Article 361 CCU as committed by an organized group and resulting in severe consequences for national security.
Evidence of Violation (Large-Scale Cyberattacks)
- Attacks on the Energy System: Interference with SCADA systems, regional power outages, and threats to civilian safety (example: attacks on Ukraine’s energy grid in winter 2022–2023).
- Blocking State Resources: Destruction or denial of access to critical state registries, including the Ministry of Justice and the State Tax Service.
- Distribution of Malicious Software: Use of programs like NotPetya, HermeticWiper, and similar wiper programs causing irreversible damage to systems and data.
Connection with Other Articles
- Article 111 CCU (High Treason) — if a cyberattack is conducted by a Ukrainian citizen to the detriment of sovereignty, territorial integrity, or defense capability.
- Article 438 CCU (Violation of the Laws and Customs of War) — if the cyberattack deliberately disrupts critical civilian infrastructure.
- Article 363 CCU (Violation of Operational Rules...) — as a lesser offense for local incidents.
Legal Consequences
Sanctions under Article 361 CCU, especially Part 3 (up to 10 years imprisonment), allow strict punishment for those involved in cyber aggression. These cases also contribute to the evidentiary basis for crimes of aggression and war crimes in international courts, including the ICC and tribunals for Ukraine.
Sources
- Criminal Code of Ukraine: Article 361 (Text)
- Related Article: Article 438 CCU (Violation of the Laws of War) →
- Related Article: Article 111 CCU (High Treason) →
© 2001 — Criminal Code of Ukraine. Analysis of Violations.
Source: The Aggression Archive