Non-State Cyber Actors in the 12-Day War – The Gray Zone of LOAC, Part I

Editors’ note: In this two-part series, Professor Gary Corn examines law of armed conflict issues arising from cyber operations conducted during the recent conflict between Israel and Iran.

With little fanfare, the traditional line between public and private war was just blurred yet again. Israel’s intense air strikes against Iran—capped off by the U.S. Operation Midnight Hammer—has understandably garnered the lion’s share of attention. Yet a significant cyber component of the conflict has flown somewhat under the radar. According to multiple sources, “hackers, patriotic hacktivists, online propagandists and opportunistic cybercriminals” somehow “linked” to both Iran and Israel were actively targeting the opposing sides throughout the so-called 12-Day War.

This should come as no surprise. Iran and Israel are both sophisticated cyber actors and have been exchanging cyber fires for years—directly and through proxies—including sabotage operations involving destructive physical effects (see e.g., here and here). Given the intensely adversarial relationship between Iran and Israel over many decades that has cycled through periods of escalation, covert proxy-conflict, and open warfare, much of this hostile cyber activity has taken place in the proverbial gray zone—what one Articles of War author aptly described as “that messy middle between war and peace” (see also, e.g., here and here)—defying easy characterization under international law.

In contrast, the current spate of hostile cyber activity has occurred in the context of and in relation to open warfare, where the applicability of the law of armed conflict (LOAC) offers, at least in theory, a greater degree of legal certainty. However, given the character of many of the actors engaged in these operations, and the nature of the operations themselves, it can be said that they are operating in the margins of LOAC, where legal uncertainty still predominates.

While one would expect that Israel and Iran have both leveraged organic cyber capabilities to conduct operations directly, for obvious reasons there is scant reporting available to confirm this. What has emerged is evidence of numerous independent, or perhaps loosely State-affiliated groups conducting a range of cyber operations, from espionage to information operations to disruptive and destructive effects operations against one side or the other of the conflict. For example, by some estimates, there are now upwards of 170 “hacking groups” targeting Israel and 55 targeting Iran, with hostile operations surging substantially in June in connection with the 12-Day War. This is consistent with a growing trend of private or semi-private actors engaging, either directly or indirectly depending on one’s interpretation, in hostilities, witnessed in relation to the Russia-Ukraine conflict as well. This trend is muddying the factual and legal battlespace of modern warfare.

Though the discussion that follows is potentially relevant to assessing the legal implications of any of these groups’ actions, this post focuses on reporting about a pro-Israeli group known as Predatory Sparrow. This choice is based only on the detail of the reporting about the group’s operations; not on any relative value judgments about the legitimacy of any of these non-State hacking groups or their actions. Indeed, according to publicly available information, pro-Iranian groups have been aggressively targeting Israel at a substantially higher rate, although according to some those operations have been “lower in profile and mostly psychological in effect.”

Who Is Predatory Sparrow?

Predatory Sparrow has been on the scene since at least 2021, when it was first associated with operations targeting Iran’s critical infrastructure. It has been assessed as being behind, and at times has claimed credit for, a spate of disruptive and destructive operations against, inter alia, Iran’s transportation sector (2021), its petrol distribution infrastructure (2021 and 2023), its state media infrastructure (2021) and its steel manufacturing capacity when it caused a fire in a plant in Khuzestan (2022).

Often using its Farsi name, Gonjeshke Darande, it has at times claimed to be an Iranian entity “defending Iran’s citizens against the ‘aggression of the Islamic Republic’ through targeted cyber operations.” However, many assessments (e.g., here, here, here, and here) consider it to be a pro-Israeli group and, based on the level of sophistication and skill it demonstrates, possibly enabled by or even under the effective control of the Israeli government. But the evidence to support these claims, especially the attribution to the Israeli government, is at best inconclusive.

And now, four days after Israel launched Operation Rising Lion, Predatory Sparrow claimed to be behind a series of cyber disruptions of Iranian financial infrastructure, stating on X:

We, “Gonjeshke Darande”, conducted cyberattacks which destroyed the data of the Islamic Revolutionary Guard Corps’ “Bank Sepah.”

“Bank Sepah” was an institution that circumvented international sanctions and used the people of Iran’s money to finance the regime’s terrorist proxies, its ballistic missile program and its military nuclear program.

This is what happens to institutions dedicated to maintaining the dictator’s terrorist fantasies.

According to some reporting, Bank Sepah services Iran’s armed forces and facilitates their payment of suppliers and proxies abroad. It is under U.S. sanctions for being the “financial linchpin of Iran’s missile procurement network … .” The apparent cyber operation caused widespread service outages, with Iranian media reporting that customers were unable to access accounts, withdraw cash or use bank cards. Gas stations that rely on the Bank’s payment processing infrastructure were also impacted. Bank Sepah acknowledged the cyber disruption, as did the Iranian government when announcing it had imposed a near total Internet blackout on the country. Although few details have emerged about the forensic details of the operation, Predatory Sparrow’s claim to have “destroyed” the bank’s data is consistent with its past use of wiper malware.

One day later, Predatory Sparrow announced it had also targeted Iran’s largest cryptocurrency exchange, Nobitex, draining around $90 million, transferring the funds to various vanity addresses with some variation of “F–kIRGCterrorists,” and posting the exchange’s source code on X. Like Bank Sepah, Predatory Sparrow claimed in its X post that the “Nobitex exchange is at the heart of the regime’s efforts to finance terror worldwide, as well as being the regime’s favorite sanctions violation tool,” a claim corroborated by independent analysis. The transfer of the funds into public wallets effectively “burned” them.

LOAC Framing

The latest iteration of the long-simmering conflict between Israel and Iran began on 13 June when Israel launched Operation Rising Lion, marked predominantly by multiple airstrikes aimed at destroying or significantly degrading Iran’s nuclear weapons program. Shortly after the United States conducted its massive strikes on the Fordow, Natanz, and Isfahan nuclear sites, the parties entered a general, de facto ceasefire, which has loosely held since 25 June. Setting aside debates over the underlying international legal basis for the Israeli and U.S. operations (e.g., here, here, and here) there can be no question that, at least as of 13 June, Israel and Iran were engaged in an international armed conflict (IAC) (and, notwithstanding the ceasefire, likely remain in a state of armed conflict as there has not yet been a general close of all military operations (GC IV, Art. 6(2); AP I, Art. 3(b), and here).

As reported, the effects of Predatory Sparrow’s operations manifested sometime between 13 and 17 June, making LOAC the most relevant body of international law for assessing the legal implications of its actions. It should be noted, however, that given the level of sophistication of these operations, and Predatory Sparrow’s history of cyber activity, it is highly likely that they began operational preparation sometime prior to the 13th. Pinpointing both the nature of these preparatory actions as well as the point at which the armed conflict in fact started would thus be important to analyzing a victim State’s options to counter them.

For example, as set out in more detail below, whether members of a group like Predatory Sparrow or the cyber infrastructure they use could be lawfully targeted with lethal force or destructive denial effects, respectively, might turn on whether they constitute a non-State organized armed group or are otherwise directly participating in hostilities.

Where Predatory Sparrow or the cyber infrastructure it uses is located will also likely implicate unresolved questions of how the law of neutrality applies generally, and specifically in the cyber context, as well as how it relates to general public international law rules of State responsibility (see e.g., here). These legal gaps and seams become even murkier where a presumptive non-State actor such as Predatory Sparrow is engaged in hostile operations, preparatory or otherwise, during a period of escalation precedent to an IAC where a victim State may look to counter those operations, including by forcible measures.

Predatory Sparrow – Operating in the LOAC Gray Zone of Status

As noted, the exact nature of the relationship between Predatory Sparrow and the Israeli government, let alone the Israeli Defense Force, is at best a matter of conjecture. Yet its linkage, or lack thereof, to the Israeli State has significant legal implications. With respect to LOAC, as I’ve set out in a previous post,

The architecture of LOAC and its protective regimes are built on a schema of distinct categories of persons, dividing them neatly—at least in theory—into civilians, combatants, and non-combatants [and possibly unprivileged belligerents]. Since at least the Treaty of Westphalia and the consolidation of the legal monopoly of violence in the sovereign, the law has recognized that with very limited exception, only members of a State’s armed forces, that is, “those by whose agency the sovereign makes war,” are imbued with the “privilege” to participate in hostilities. In return, only combatants benefit from the attendant immunity from criminal sanction for doing so. Civilians [and unprivileged belligerents], on the other hand, lack this “privilege” to participate directly in hostilities and their life should thus be respected and protected [so long as they refrain from participating directly in the hostilities].

In essence, combatants are members of specifically designated classes of organized armed groups (OAG)—armed forces, militias, volunteer corps, and resistance movements—that are “sanctioned by and operating as agents of a State Party to a conflict . . .” (GC III, art. 4A(1)(2)(3)(6); AP I, art. 43). That is, such OAG’s “must in fact fight on behalf of” the State in question, which itself “must accept both the fighting role of the group and the fact that the fighting is done on its behalf.” (International Committee of the Red Cross, 2020 GC III Commentary, para. 1005).

If evidence exists to qualify Predatory Sparrow and its members as such an entity, the immediate consequence would be to render them and their infrastructure legitimate objects of attack. Whether its members, if captured, would qualify for prisoner of war (PoW) status and the attendant privilege of immunity is a grayer question that would require further factual and legal unpacking. For example, PoW status would presumptively depend on whether the group or its individual members adhere to the four criteria of Article 4A(2) of the GPW, including having a fixed distinctive sign recognizable at a distance and that of carrying arms openly (GC III, art. 4A(2)). The amorphous, covert nature of the group’s operational modus operandi suggests they don’t, such that even if Predatory Sparrow is a State OAG, its members are acting as unprivileged spies or saboteurs (U.S. Department of Defense (DoD), Law of War Manual, para. 4.17).

However, setting aside debates over whether the “four criteria” of Article 4A(2) apply only to members of militias and volunteer corps, some experts question whether the criteria must be strictly adhered to in the cyber context, where an operator’s failure to wear a uniform, for example, would not immediately undermine the principle of distinction (Tallinn Manual 2.0, rule 87, commentary). And regardless of this minority view, it is far from certain how the general proposition that combatants that engage in spying or sabotage incur no responsibility or liability for previous acts of espionage once they “return to friendly lines,” (DoD, Law of War Manual, § 4.17.5.1 (emphasis added)) applies when “enemy lines” are crossed only virtually.

Thus, even if acting as an Israeli State organ, Predatory Sparrow’s LOAC status—for purposes of detention and prosecution—is far from clear. But given the paucity of evidence connecting Predatory Sparrow to the Israeli armed forces, and consistent with the treaty and customary international law presumption of civilian status in the face of doubt (DoD, Law of War Manual, § 5.4.3.2; AP I, art. 50(1)), those (presumably Iranian) forces that might take operations against them should consider them as civilians (possibly participating directly in the hostilities) or, possibly as members of a non-State OAG, i.e., unprivileged belligerents. While LOAC does not prohibit per se engaging in such unprivileged or “private” belligerent acts, “the legal [and by extension, operational] consequences of participation differ, based on the nature of the armed conflict and the category to which an individual belongs.” (Tallinn Manual 2.0, rule 86).

Targetability

A determination that members of Predatory Sparrow are not combatants does not automatically cloak them with general protection against being made the object of attack. In fact, the reality is quite the opposite and highlights a primary, inherent risk of “private cyber warriors” involving themselves in armed conflicts. They potentially place themselves and other unwitting civilians directly in the line of fire.

It is axiomatic that, as a matter of both treaty and customary international law, civilians who take a direct part in hostilities (DPH) forfeit entitlement to that protection for such time as they do so, and need not factor into an attacker’s proportionality assessment. (AP I, art. 51.3). And for States that share the U.S. view that members of non-State OAG’s are unprivileged belligerents targetable based solely on that status, nuanced parsing of individual conduct technically falls to the wayside.

In either case, the door to lethal targeting is more than jarred open. But, as I previously noted here, not to the same extent, which matters.

As the DoD Law of War Manual notes, for purposes of targeting, whether resistance forces [or private cyber warriors] are considered civilians directly participating in hostilities or unprivileged members of an OAG, the consequence is essentially the same: “[both civilians directly participating in hostilities and] members of hostile, non-State armed groups may be made the object of attack unless they are placed hors de combat.” As U.S. experience over the last two decades has borne out, this may be true as a practical matter at the level of tactical combat engagements. But it is a misleading overstatement. Unlike members of a belligerent force, civilians are presumed inoffensive and shielded from attack, unless they engage in specific, identifiable conduct that temporarily strips them of that protection. This is a far-more constrained targeting authority than the quote above implies, and certainly in the context of deliberate targeting decisions, placing an individual on a strike list requires different, and periodically updated validation of continued targetability.

Much has been written over the last decades regarding the ill-defined parameters of the so-called DPH rule and the wide divergence of approaches States take to its interpretation and application. Similarly, there remains significant divergence among States over the validity of applying status-based targeting regimes to non-State actors of any ilk, over the definition of non-state OAGs, and the standards of establishing membership therein. Again, much ink has been spilled over these questions and detailing the debates is beyond the breadth of this post.  Suffice to say that these are some of the most consequential LOAC gray zones that grow more, not less opaque, with the introduction of new technologies such as cyber.

Given the nature of cyberspace, it may well be the case that geographic distance from a theatre of active hostilities will measurably reduce the actual (not legally possible) risk of private cyber warriors coming under lethal attack. But each conflict is different, to include the geography of warfare. And as various recent examples demonstrate, technologies are constantly extending the reach, depth and precision of surveillance and strike capabilities. And of course, geographic remoteness is not an effective barrier against targeting cyber infrastructure.

In terms of civilian harm risks, it goes without saying that Predatory Sparrow’s capability and capacity to conduct its operations are entirely dependent on leveraging cyber infrastructure. The tactics, techniques, and procedures (TTPs to borrow from U.S. jargon) of cyber operations is a complex discussion with each operation requiring in-depth factual details to support accurate legal analysis. What matters here is the obvious recognition that to conduct its cyber operations, Predatory Sparrow undoubtedly leverages and maneuvers through civilian cyberspace. This places counter-cyber disruption operations against those components of cyberspace squarely on the table, up to and potentially including destructive attacks against infrastructure meeting the definition of military objective (AP I, art. 52.2).

Deferring to a follow-on post a discussion of the risks to civilians and civilian infrastructure and uncertain LOAC implications Predatory Sparrow’s operations may themselves present, that they trigger the distinct possibility of counter strikes, cyber or kinetic, cannot be dismissed lightly.  With the expansion of armed conflict generally into the civilian ether, threshold definitions and understandings of LOAC’s protective regimes, especially around the rules regulating means and methods of warfare, are trending further into the gray zone of divergence and uncertainty.  In terms of operational environments U.S. and other armed forces need to prepare for, this is increasingly the new normal, requiring adaptive operational approaches and adaptations across the spectrum of doctrine, organization, training, materiel, leadership and education, personnel, facilities and policy (DOTMLPF-P).

***

Gary Corn is the Director of the Technology, Law & Security Program and Adjunct Professor of Cyber and National Security Law at the American University Washington College of Law.

The views expressed are those of the author, and do not necessarily reflect the views or official position of the United States Military Academy, Department of the Army, Department of Defense or its components.

Articles of War is a forum for professionals to share opinions and cultivate ideas. Articles of War does not screen articles to fit a particular editorial agenda, nor endorse or advocate material that is published.

 

 

 

 

 

Photo credit: Getty Images via Unsplash