Skip to main content

The Ukraine War & Cyberattacks Targeting Refugees and Humanitarian Organizations

August 7, 2023


Levi Howard

In February of 2022, Russian President Vladimir Putin launched a full-scale military invasion of Ukraine. Moments before the attack, President Putin went on TV and declared that modern Ukraine posed a constant threat and obstructed Russia from its ability to “feel safe, develop, and exist”.[1] Russia’s invasion of Ukraine marked a dramatic escalation of an eight-year-old conflict that began with Russia’s annexation of Crimea and has signified a historic turning point in European and global security.[2] Since the invasion, more than eight million people have fled the country, triggering Europe’s largest refugee crisis since World War II. Countries near Ukraine have been faced with tackling the task of accommodating millions of refugees, while international organizations have sent billions of dollars in aid in an attempt to temper the challenges that displaced people in the region are facing.[3]

The war in Ukraine sparked a rapid and broad mobilization of non-governmental organizations (NGOs) looking to provide support for the people impacted by the conflict. Existing NGOs in Ukraine have created clusters and systems of working together while also directing foreign NGO groups to provide direct assistance. Apart from direct humanitarian aid, NGOs have been working to raise awareness about the dire situation via social media and other internet sources.[4]

With the digitization of humanitarian and defense efforts, and an increase in cyber warfare, cybersecurity has played an unprecedentedly critical role in this conflict. In response, Ukrainian and volunteer cybersecurity divisions have worked to combat thousands of Russian cyberattacks. Compounded with the chaos of war, it is hard to pinpoint exactly what damage these attacks have done, especially the early Russian wiper campaigns which hit before Ukraine transitioned from local data centers to cloud infrastructure.[5] This has raised new questions regarding how cyberattacks should be considered and prosecuted in a time of war, especially in relation to the targeting of NGOs and humanitarian efforts, which is forbidden under international law.[6]

What is the Humanitarian Crisis in Ukraine?

According to the UN Refugee Agency more than 13 million people have been displaced since the invasion of Ukraine, making up nearly a third of Ukraine’s prewar population.[7] Of those displaced, more than five million are internally displaced within Ukraine, while over eight million have fled to neighboring countries. In comparison, Europe saw one million refugees during the 2015 wave of migration from Africa and the Middle East and up to four million refugees during the Yugoslav Wars of the 1990s.[8]

Several factors have contributed to the massive influx of refugees into other nations fleeing Ukraine. The nature of the Russian invasion has mobilized people to escape. It has included simultaneous land and air attacks coupled with heavy barrages of often imprecise artillery that have led to many civilian casualties.[9] Additionally, there have been extended blockades of cities preventing the transport of food and water,[10] as well as the reported killing, rape, and torture of civilians — such as the widely reported atrocities in the city of Bucha.[11] The violence has led people to flee in fear for their safety and survival. In addition to these threats, Russian attacks have caused tremendous damage to Ukraine’s infrastructure. Airstrikes have hit hospitals, residential neighborhoods, and apartment buildings. Russia has also targeted Ukrainian power plants. During Ukrainian President Volodymyr Zelenskyys’ meeting with United States’ President Joe Biden in December 2022, Zelenskyy asked for emergency aid to keep the country’s power grid operational. At the time of the meeting 17 million Ukrainians had been left without electricity, heat, and water during frigid winter temperatures.[12]

In response to the flow of refugees, Poland and other EU member states significantly simplified the rules of entry for refugees. Their policy changes removed many legal barriers to the mobility of people who were looking for shelter.[13] The removal of legal barriers has aided Ukrainians displaced by the war by making it easier to flee to neighboring nations. However, not only has Russia carried out physical attacks against Ukraine causing the refugee crisis, but it has also made the situation more chaotic by undermining aid efforts through cyberattacks.

Cyberattacks Affecting Refugees

The Ukrainian refugee crisis has been exacerbated by cyberattacks targeted at refugees and immigration systems. During and following the mass movement of Ukrainian refugees out of the country, hackers affiliated with the Russian Federation and with links to Belarus began carrying out cyberattacks with intent to steal refugee data, cause fear and panic through the spread of disinformation, and slow refugee movement.

The exploitation of information on refugee movements in Europe for disinformation purposes is a part of Russian and Belarusian state techniques.[14] In March 2022, phishing attacks that appeared to come from the country’s security services were launched on targets across Ukraine, appearing to offer information on evacuation plans. The phishing emails were sent via Gmail and contained a message that asked targets for evacuation plans. Attached to the emails was a document that was later found to contain malware. Researchers from the Slovakia-based internet security company ESET found that the malware was based on Microsoft’s Remote Utilities software for Windows, allowing outside access to computers.[15] The effectiveness of this phishing attack is unclear but the implications of such attacks are severe because of the potential mass data breaches that could greatly harm those fleeing the country.

Researchers at U.S.-based cybersecurity company Proofpoint confirmed that different “evacuation-themed” phishing attacks targeted an unnamed European government entity. Proofpoint security researchers looked at emails sent from a potentially compromised Ukrainian armed service member’s email, which targeted European government personnel involved in managing the logistics of refugees fleeing Ukraine. Proofpoint researchers said that there was a clear preference for targeting individuals with responsibilities related to transportation, financial and budget allocation, administration, and population movement within Europe.[16]

In January 2023, after millions of Ukrainians fled to neighboring countries to escape, a flood of emails containing false information was received by organizations working with refugees.[17] The emails warned that Ukrainian men of military age were scheduled to be rounded up and sent home. The emails further claimed that they would then be forced to fight against Russian troops, citing a supposed agreement between Ukraine and its allies. The email asked those who received it to immediately provide personal information and any known whereabouts of Ukrainians living nearby. The emails, which were posed to appear to be from official ministries in nearby countries, were fake. According to researchers at Mandiant, the messages came from a group called Ghostwriter. According to Jānis Sārts, the director of NATO’s Strategic Communications Center of Excellence, Ghostwriter is a Russian state-sponsored hacking group.[18] The goal of such attacks is to cause fear, panic, and confusion.

Russia has also carried out cyberattacks on Ukrainian border infrastructure, with the goal of disrupting refugee movements. On February 25, 2022, Russia carried out a wiper attack on border stations along Ukraine’s border with Romania. Because of the attacks, border agents were forced to process people using a pen and paper following system disruptions, greatly slowing flow across the border.[19] Multi-mile long lines exposed those fleeing to cold winter temperatures, making the process that more dangerous.

Cyberattacks Affecting NGOs

Non-governmental organizations (NGOs) working in Ukraine or serving Ukrainian refugees have also become targets of cyberattacks. The targeting of such organizations has raised serious questions under the Geneva Conventions about Russia’s cyberattacks on emergency response and humanitarian organizations.[20] Russia has carried out cyberattacks against NGOs in an attempt to deter reporting, steal information, and disrupt operations.

Insecurity Insight, a Switzerland-based non-profit that has done work documenting attacks by the Russian Federation on Ukrainian hospitals, was hit with a mass phishing campaign. Director of Insecurity Insight, Christina Wille, told CNN that she suspects the phishing campaign was meant to deter her team from reporting on Russia’s attacks on Ukraine.[21] Amazon’s cloud-computing division, Amazon Web Services (AWS), has partnered with Ukrainian IT organizations to fend off attacks and help protect organizations working in Ukraine. AWS has reported several situations where malware has been specifically targeted at charities, NGOs, and other aid organizations working in Ukraine in order to spread confusion and cause disruption. In these particular cases, malware has been targeted at disrupting the distribution of medical supplies, food, and clothing for Ukrainians.[22]

Another phishing campaign discovered by cybersecurity firm Proofpoint, found that a likely state-sponsored attack used a compromised Ukrainian armed service member’s email account which included a malicious macro attachment to target European governments and personnel. The attachment, when clicked, would attempt to download a Lua-based malware that Proofpoint has named “SunSeed.” The entities and personnel targeted possessed a range of expertise and professional responsibilities, however there was a clear preference in targeting individuals operating in the spheres of transportation, financial and budget allocation, administration, and other logistics relating to refugees fleeing Ukraine.[23]

Cybersecurity experts are concerned that breaches of data on Ukrainian refugees held by NGOs now could be used to re-victimize people well into the future. Klara Jordan, who is the chief public policy officer at an organization that works to protect humanitarian aid groups from cyber threats, called the CyberPeace Institute, said that “There is your immediate safety, security life, and then there is actually, ‘How can cyberattacks repeat this harm over time with the data?’”[24] The war in Ukraine has shown the vulnerabilities of NGOs and other humanitarian aid groups in regards to cyberspace and the need to make cybersecurity a priority.

Ukraine, Cyberwar, & Human Rights Violations

NGOs and non-profits involved in humanitarian action are heavily dependent on mobile and digital technologies to coordinate and carry out their missions. One of the most important parts of being able to deliver humanitarian action is the ability to collect and manage data. Within the last decade there has been an increased reliance on technology to facilitate this work and to scale humanitarian capabilities. Communication systems, data collection tools, and even border infrastructure have been digitized. This has created a new layer of security risk within the humanitarian sector.[25] NGOs are significantly underfunded when it comes to addressing their cybersecurity vulnerabilities. NGOs have increasingly found themselves the targets of cyberattacks, either driven by the nature of their work, or as an easy target to extract ransom or fraudulently access funds.[26]

Cyberattacks targeting Ukrainian refugees also raise questions about how human rights law should be applied to the internet. Article 3 of the Geneva Convention outlines that in times of war, people who are not active in hostilities are to be protected from violence or torture, taking as hostages, degrading or humiliating treatment, and sentencing without trial by a regularly constituted court. Article 44 outlines that the same rules of protection apply to refugees, or those who do not enjoy the protection of any government.[27] The United Nations General Assembly on the promotion, protection and enjoyment of human rights on the internet, has made it clear that  international human rights that individuals enjoy ‘offline’ are also protected ‘online’.[28] According to the Tallinn Manual which is leading guidance on how international law applies to cyber conflicts and cyber warfare, both treaty and customary international human rights law apply to cyber-related activities.[29]  Cyberattacks against Ukrainian refugees have brought into question whether certain human rights reflected in treaty law have crystallized as rules of customary law, and whether aspects of human rights law is subject to variance when States and regional bodies interpret them in regards to cyber activities.[30]

The war in Ukraine has shown that the undefined regulation of cyber warfare, and the consequential lack of a template for successful prosecution, has set a precedent that allows global human rights to be violated without repercussions. Human rights identified and protected as a result of two world wars have been unraveled by this new sphere of combat, devoid of any system of accountability. Without change, cyber warfare will continue to violate the rights of global citizens and operate within a gray area of jurisdiction and regulation.


[1] Kirby, P. (2022, February 24). Why is Russia invading Ukraine and what does Putin want? – BBC news. BBC. 

[2] Masters, J. (2023, February 14). Ukraine: Conflict at the Crossroads of Europe and Russia. Council on Foreign Relations.

[3] Roy, D. (2023, June 8). How bad is Ukraine’s humanitarian crisis a year later? Council on Foreign Relations.

[4] Prokscha, A. (2022, April 22). Helping in times of war: How Ukrainian ngos built a support network. GMFUS.

[5] McLaughlin, J. (2023, March 3). Russia bombards Ukraine with cyberattacks with limited impact. NPR.

[6] Lyngaas, S. (2022, April 23). Aid groups helping Ukraine face both cyber and physical threats | CNN politics. CNN.

[7] UNHCR. (2023, February 10). Ukraine Situation flash update #40. UNHCR Operational Data Portal (ODP).

[8] Roy, D. (2023, June 8). How bad is Ukraine’s humanitarian crisis a year later? Council on Foreign Relations.

[9] Guardian News and Media. (2022, December 24). Russian artillery barrages kill civilians in southern and Eastern Ukraine. The Guardian.

[10] Pérez-peña, R. (2022, March 10). Russia batters and encircles Ukrainian cities, as diplomacy falters. The New York Times.

[11] Human Rights Watch. (2022, October 11). Ukraine: Apparent war crimes in Russia-controlled areas. Human Rights Watch.

[12] De Luce, D., & Mayer, D. (2023, January 20). Ukraine appeals to the world for help keeping the lights on.,electrical%20network%20has%20been%20damaged.

[13] European Council Council of the European Union. (2023, June 25). EU Migration and Asylum Policy . European Council Council of the European Union.

[14] Cass, Z., & Raggi, M. (2022, March 1). Asylum Ambuscade: State Actor Uses Lua-based Sunseed Malware to Target European Governments and Refugee Movement. Proofpoint.

[15] Brewster, T. (2022, March 4). Warning: Hackers are targeting the Ukraine refugee crisis. Forbes.

[16] Cass, Z., & Raggi, M. (2022, March 1). Asylum Ambuscade: State Actor Uses Lua-based Sunseed Malware to Target European Governments and Refugee Movement. Proofpoint.

[17]Stone, J. (2023, March 22). A propaganda group is using fake emails to target Ukrainian refugees. Bloomberg.

[18] Stone, J. (2023, March 22). A propaganda group is using fake emails to target Ukrainian refugees. Bloomberg.

[19] Berger, M. (2022, February 28). 400,000 Ukrainians flee to European countries, including some that previously spurned refugees. The Washington Post.

[20] Lyngaas, S. (2022, April 23). Aid groups helping Ukraine face both cyber and physical threats | CNN politics. CNN.

[21] Lyngaas, S. (2022, April 23). Aid groups helping Ukraine face both cyber and physical threats | CNN politics. CNN.

[22] Amazon. (2022, March 8). Amazon’s cybersecurity assistance for Ukraine. Amazon.

[23] Cass, Z., & Raggi, M. (2022, March 1). Asylum Ambuscade: State Actor Uses Lua-based Sunseed Malware to Target European Governments and Refugee Movement. Proofpoint.

[24] Lyngaas, S. (2022, April 23). Aid groups helping Ukraine face both cyber and physical threats | CNN politics. CNN.

[25] Duguin, S. (2022, February 22). Cyberattacks: A real threat to NGOs and nonprofits. ReliefWeb.

[26] Harper, N., & Dobrygowski, D. (2022, January 17). Why the humanitarian sector must make cybersecurity a priority. World Economic Forum.

[27]OHCHR. (2023, July 1). Geneva Convention relative to the protection of civilian persons in time of war (2nd part). OHCHR.

[28] United Nations. (2016, June 27). The promotion, protection and enjoyment of human rights on the Internet. United Nations.

[29] Jensen, E. T. (2017). The Tallinn Manual 2.0: Highlights and Insights – Georgetown law. Georgetown University.

[30] Cambridge University Press. (2017, February 3). International human rights law (Chapter 6) – tallinn manual 2.0 on the international law applicable to Cyber Operations. Cambridge Core.