Ryan Gallagher: Hacktivists wage cyberwar on Putin's supply lines

Passengers gathered on train platforms near Minsk, the capital, watched as information screens flickered and normal messaging was replaced by garbled text and an error message. Malfunctioning ticket systems led to long lines and delays as damaged software systems caused trains to grind to a halt in several cities, according to railway employees and posts that circulated on Belarusian social media.

The cause of the delays was a ransomware attack in which hackers had encrypted crucial files on
the railway’s computer systems, rendering them inoperable. The perpetrators of such attacks usually demand money in exchange for unlocking the seized files.

Partisans target 'Europe's last dictator'

But the assailants in this case — a group of hackers identifying themselves as the Cyber Partisans — said they would provide the key to unlock the computers only if Russian troops left Belarus and the Belarusian government freed certain political prisoners.

The authoritarian government of Alexander Lukashenko was well aware of the Cyber Partisans, who’d become a key part of an opposition movement openly trying to overthrow his government.

Lukashenko, a former Soviet official who’s been president of Belarus since 1994, is widely known as Europe’s “last dictator”.

In 2020, he claimed victory in an election that the US and other countries have declared fraudulent, then ordered a violent response to the subsequent protests. The result has been a grinding conflict between his government and a broad movement of dissidents.

The anti-Lukashenko movement has been notable for the way it’s mixed analog forms of popular protest with online activism.

Lukashenko’s opponents started by breaking into the websites of the government and state news agencies, a form of politically motivated hacking with a long history. Since then, they’ve begun to branch into cyberattacks that result in physical damage, a tactic traditionally seen as the domain of state-sponsored agents.

The result is beginning to look like a new model for revolutionary groups seeking to wage asymmetrical warfare, says Gabriella Coleman, a Harvard professor and an expert on hacking culture.

“They are really innovating in a way I have not seen before,” she says of the Cyber Partisans.

It’s like traditional forms of sabotage, but using computer methods. What they are doing has taken hacktivism to the next level.

In the purest sense, the cyberattack on the train system didn’t succeed. Russian troops didn’t leave the country, and Belarus didn’t free the political prisoners.

But the train system remains impaired. 

The operation also signalled a major escalation in what had been a domestic conflict. The Belarusian dissidents now see a single, broader struggle against both Lukashenko and Putin and have begun to join forces with an informal and chaotic global coalition of pro-Ukraine hackers.

These groups have targeted dozens of Russian government agencies, dumping huge troves of stolen emails and documents online.

Andriy Baranovych, a spokesman for the Ukrainian Cyber Alliance, one of the groups working with the Cyber Partisans, says that while information gathering is a goal of his organisation, it’s also moving past that: “Political information has little value now. We are trying to cause disorder, disruption, deception — anything that could delay or stop Russia’s actions.”

Fleeing Belarus

Aliaksandr Azarau, a former Minsk police chief, arrived at a cafe near Warsaw’s central rail station one day in mid-March to tell the story of how he joined what he considers a war against Lukashenko’s government.

Azarau, 45, is a stocky guy in a checked shirt and black jacket, with a piercing stare. He mentioned that he has to be wary of spies as he travels around Poland and regularly glanced at his phone for updates on the fighting in Ukraine.

For more than two decades, Azarau was a police officer in Belarus, working as a detective in a department focused on human trafficking, illegal immigration, and religious extremism.

He rose to become a lieutenant colonel, heading a unit of an organised crime and corruption agency. He says he never supported Lukashenko but avoided criticising the government until August 2020, when he says he personally witnessed fraud in the presidential election and overheard commanders issue what he described as illegal orders to attack and arrest peaceful pro-democracy protesters.

Azarau quit the force and fled to Poland, where he was later joined by his wife and two young daughters. He quickly fell in with the Belarusian exile community in Warsaw and signed up to join ByPol (the name is shorthand for Belarus Police), a group of self-described “honest officers” from Belarus’s law enforcement community who were advocating for free and fair democratic elections.

ByPol’s members weren’t hackers. But they soon linked up with the Cyber Partisans, who showed how their skills could help gather evidence of human rights violations that could be used to argue for sanctions against government officials.

The hackers broke into government websites. They disclosed mortality statistics indicating that tens of thousands more people in Belarus died from Covid-19 than the government had publicly acknowledged.

They also began releasing data including secret police archives, lists of alleged police informants, personal information about top government officials and spies, video footage gathered from police drones and detention centres, and secret recordings of phone calls from a government wiretapping system.

ByPol members, with their knowledge of the inner workings of the regime, helped to analyse, authenticate, and distribute the hacked files.

Azarau says that information gathered by the hackers has been vital in documenting police abuses. But the cyberattacks were useful for doing more than simply embarrassing Lukashenko.

One database the Cyber Partisans broke into included 10m passport and driver’s licence photos, which ByPol has used to create its own facial recognition system.

It’s used it to identify suspected spies, as well as police officers shown attacking protesters in videos. If the group has a picture of a suspected Belarusian spy, it runs a check on the photograph.

These operations have clearly spooked Lukashenko’s government. Last November, the Supreme Court branded the hackers as terrorists and criminalised participation in several groups including the Cyber Partisans and ByPol, according to the prosecutor general’s office.

In March, Lukashenko expounded on the danger of cyberattacks: 

We all tremble at nuclear weapons but cyberweapons are even more terrifying. 

As Belarus became involved in Russia’s mobilisation for an invasion of Ukraine, ByPol grew hungry to undermine Lukashenko’s government by, for example, sabotaging signalling systems to slow down trains.

The tactic has echoes of Soviet resistance fighters who undermined the Nazi regime during the Second World War by using explosives to blow up the tracks.

“A lot of Russian ammo and weapons came to Belarus and goes through our territory to Ukraine, to kill Ukrainians,” says Azarau. “So we decided to wage a railway war.”

While ByPol’s operatives have used arson to carry out this strategy, he says, their allies could provide similar results by digital means.

The Cyber Partisans said they’d paralysed trains in the Belarusian cities of Minsk and Orsha, as well as the town of Osipovichi.

It’s not possible to independently verify these claims. But there has been evidence of disruptions.

In March, Belarusian Railway posted a statement online saying it was opening 50 additional ticket offices to meet demand while it worked to restore its systems.

Unlike ByPol, the Cyber Partisans are determined to remain entirely anonymous, saying they fear for their safety given the violent record of the Lukashenko regime. Even their ostensible public representative, a Belarusian citizen named Yuliana Shemetovets who lives in New York City and appears at conferences on their behalf, says she doesn’t know their identities.

Cyber Partisan interview

After several months of communication with Bloomberg over encrypted chat channels, a member of the group agreed to a rare video interview, on the condition that he be allowed to remain anonymous and the technical details of the chat not be published.

The hacker sat silhouetted in a darkened room, wearing a hoodie. The Cyber Partisans’ red-and-black logo was projected on a large screen behind him.

He used a device to disguise his speech, which only partially concealed what sounded like an eastern-European accent.

The Cyber Partisans consist of about 60 people, he said, mostly Belarusian citizens with backgrounds in computers. Most of them work on tool development and data analysis, with only about 10 volunteers participating in the hacking operations the group carries out.

He flatly refused to discuss his personal life in even the broadest ways, for fear of accidentally revealing details that could be used to identify him.

The nature of the Cyber Partisans’ operations have led to speculation that they’re a front for a government hostile to Lukashenko’s.

In January, security researcher Juan Andres Guerrero-Saade wrote that government-backed groups can masquerade as hacktivists to give themselves plausible deniability and “to imbue their leaks with legitimacy not afforded by the obvious intervention of a government”.

But he also determined that the Cyber Partisans had the characteristics of a “grassroots endeavour”.

In his video chat with Bloomberg, the Cyber Partisan laughed off this suggestion, saying that the group isn’t financed or controlled by any government agency. “We’re still amateur hacktivists,” he said.

“We’re just highly motivated and stubborn. If we had the budget of a government agency we would have carried out attacks every day and brought the terroristic regime of Lukashenko to its knees very quickly.”

What the Cyber Partisans do acknowledge is Putin’s war has broadened their goals — and helped them forge a new set of alliances with hackers in Ukraine.

“Ukrainians are now fighting not only for their freedom but for the Belarusian independence as well,” the hacker said.

“I understand it’s war and we need to do this. But there was a point when it just felt it was becoming too dangerous”

The political hacking movement within Ukraine began building in earnest following Russia’s invasion of Crimea in 2014. The Ukrainian Cyber Alliance formed in 2016 to strike back against Russia and has a track record of carrying out successful data breaches. 

In 2016 and 2017, it claimed responsibility for compromising Russian Ministry of Defence servers and stealing and publishing emails from an adviser close to Putin, in addition to those of alleged Russian militants and propagandists.

At the time the Ukrainian government was ambivalent at best about much of what such groups were doing.

Authorities accused the Ukrainian Cyber Alliance of hacking Odessa’s international airport and placing an offensive message about the environmental activist Greta Thunberg on an electronic display, and some of its members were scheduled to appear in court in February in connection with the incident.

The group denies involvement, but in any case the proceedings were postponed, and the hackers now say they’re working with the Ukrainian government as part of its call for a makeshift “IT Army” to help in the war effort.

The volunteers have carried out targeted attacks on Russian banks and energy companies and also hacked Russian state media websites to counter the Kremlin’s propaganda.

Consequences

The life of a professional revolutionary has been hard on Azarau. His Belarusian bank accounts were seized last year, and security agents in Belarus searched the home of his 68-year-old mother and confiscated electronic devices at her property in a village near Minsk.

People who’ve called his mother by phone have themselves been subsequently visited by police. The harassment, which Azarau interprets as an attempt to punish him, has had a chilling effect on friends and family, who are now afraid to contact his mother, leaving her isolated.

He says he’s pretty sure he’s being followed in Warsaw as well. ByPol has identified Belarusian military intelligence agents who it says have travelled to Poland to infiltrate dissident groups. Earlier this year, says Azarau, a Belarusian spy was operating in Poland disguised as a refugee and had been tasked with “eliminating” ByPol’s leadership.

Azarau recognised the man from his former police days, and ByPol subsequently exposed his identity online. The alleged spy fled a refugee centre where he was living and left his passport behind. “Now nobody knows where he is,” Azarau says.

Lukashenko’s government has proved willing to go to extremes to fight its political opponents. Last year it caused international outrage when it forced a passenger plane to land in Minsk and arrested a dissident Belarusian journalist who’d been on board.

Last August, one prominent opposition figure was found hanged in a park in Ukraine. Police said they suspected the incident may have been a murder disguised as suicide.

In April, news agency AFP reported that the Belarusian government said it had arrested four men whom it suspected of sabotaging train equipment. The announcement included video of gruesomely injured men lying on the ground. The government said it had shot the suspects because they were resisting arrest.

At the same time, the hacking and sabotage are putting “huge pressure” on Lukashenko’s regime, says Pavel Latushko, a former Belarusian
ambassador and minister of culture who now leads an opposition group called National Anti-Crisis Management.

In his office in central Warsaw, Latushko has five framed documents on his wall displaying criminal charges Belarusian authorities have filed against him, accusing him of involvement in terrorism, extremism, and conspiracy to seize state power — he jokes that he’s had seven charges filed against him in total, but he doesn’t have enough room. Lukashenko, he says, once personally threatened to strangle him.

Given the violence of the Lukashenko regime and the devastating Russian assault on Ukraine, Latushko says hackers like the Cyber Partisans should feel little restraint about how they hit back.

“All activities under the movement of resistance are legal,” he says.

“Everybody who can struggle against the occupation of the Russian Federation and the puppet government of Lukashenko — you can use all the instruments.”