Belarus's New Revolutionaries

Monday 4 July 2022

Russia’s military began sending large numbers of weapons and troops into Belarus in late January. The official purpose of the movement was a joint military exercise, but Belarus, which has a 650-mile border with Ukraine and a government closely aligned with Moscow, was also a logical staging point for Russian President Vladimir Putin to carry out an invasion.

Several days after the troops arrived weird things started happening to the computer systems that ran the Belarus national railway system, which the Russian military was using as part of its mobilization. Passengers gathered on train platforms near Minsk, the capital, watched as information screens flickered and normal messaging was replaced by garbled text and an error message. Malfunctioning ticket systems led to long lines and delays as damaged software systems caused trains to grind to a halt in several cities, according to railway employees and posts that circulated on Belarusian social media.

The cause of the delays was a ransomware attack in which hackers had encrypted crucial files on the railway’s computer systems, rendering them inoperable. The perpetrators of such attacks usually demand money in exchange for unlocking the seized files. But the assailants in this case, a group of hackers identifying themselves as the Cyber Partisans, said they would provide the key to unlock the computers only if Russian troops left Belarus and the Belarusian government freed certain political prisoners.

The authoritarian government of Alexander Lukashenko was well aware of the Cyber Partisans, who’d become a key part of an opposition movement openly trying to overthrow his government. Lukashenko, a former Soviet official who’s been president of Belarus since 1994, is widely known as Europe’s “last dictator.” In 2020 he claimed victory in an election that the US and other countries have declared fraudulent, then ordered a violent response to the subsequent protests. The result has been a grinding conflict between his government and a broad movement of dissidents.

The anti-Lukashenko movement has been notable for the way it’s mixed analog forms of popular protest with online activism. Lukashenko’s opponents started by breaking into the websites of the government and state news agencies, a form of politically motivated hacking with a long history. Since then they’ve begun to branch into cyberattacks that result in physical damage, a tactic traditionally seen as the domain of state-sponsored agents. The result is beginning to look like a new model for revolutionary groups seeking to wage asymmetrical warfare, says Gabriella Coleman, a Harvard professor and an expert on hacking culture. “They are really innovating in a way I have not seen before,” she says of the Cyber Partisans. “It’s like traditional forms of sabotage, but using computer methods. What they are doing has taken hacktivism to the next level.”

In the purest sense, the cyberattack on the train system didn’t succeed. Russian troops didn’t leave the country, and Belarus didn’t free the political prisoners. But the train system remains impaired. The operation also signaled a major escalation in what had been a domestic conflict. The Belarusian dissidents now see a single, broader struggle against both Lukashenko and Putin and have begun to join forces with an informal and chaotic global coalition of pro-Ukraine hackers.

These groups have targeted dozens of Russian government agencies, dumping huge troves of stolen emails and documents online. Andriy Baranovych, a spokesman for the Ukrainian Cyber Alliance, one of the groups working with the Cyber Partisans, says that while information gathering is a goal of his organization, it’s also moving past that: “Political information has little value now. We are trying to cause disorder, disruption, deception—anything that could delay or stop Russia’s actions.”

Aliaksandr Azarau, a former Minsk police chief, arrived at a cafe near Warsaw’s central rail station one day in mid-March to tell the story of how he joined what he considers a war against Lukashenko’s government. Azarau, 45, is a stocky guy in a checked shirt and black jacket, with a piercing stare. He mentioned that he has to be wary of spies as he travels around Poland and regularly glanced at his phone for updates on the fighting in Ukraine.

For more than two decades, Azarau was a police officer in Belarus, working as a detective in a department focused on human trafficking, illegal immigration, and religious extremism. He rose to become a lieutenant colonel, heading a unit of an organized crime and corruption agency. He says he never supported Lukashenko but avoided criticizing the government until August 2020, when he says he personally witnessed fraud in the presidential election and overheard commanders issue what he described as illegal orders to attack and arrest peaceful pro-democracy protesters.

Azarau quit the force and fled to Poland, where he was later joined by his wife and two young daughters. He quickly fell in with the Belarusian exile community in Warsaw and signed up to join ByPol (the name is shorthand for Belarus Police), a group of self-described “honest officers” from Belarus’s law enforcement community who were advocating for free and fair democratic elections.

ByPol’s members weren’t hackers. But they soon linked up with the Cyber Partisans, who showed how their skills could help gather evidence of human-rights violations that could be used to argue for sanctions against government officials.

The hackers broke into government websites. They disclosed mortality statistics indicating that tens of thousands more people in Belarus died from Covid-19 than the government had publicly acknowledged. They also began releasing data including secret police archives, lists of alleged police informants, personal information about top government officials and spies, video footage gathered from police drones and detention centers, and secret recordings of phone calls from a government wiretapping system. ByPol members, with their knowledge of the inner workings of the regime, helped to analyze, authenticate, and distribute the hacked files.

Azarau says that information gathered by the hackers has been vital in documenting police abuses. But the cyberattacks were useful for doing more than simply embarrassing Lukashenko. One database the Cyber Partisans broke into included 10 million passport and driver’s license photos, which ByPol has used to create its own facial recognition system. It’s used it to identify suspected spies, as well as police officers shown attacking protesters in videos. If the group has a picture of a suspected Belarusian spy, it runs a check on the photograph. “People ask us, ‘Who is this person?’ We can say that it is not a problem, if it is just a student,” Azarau says. “Or we can see if it is a spy.”

These operations have clearly spooked Lukashenko’s government. Last November the country’s Supreme Court branded the hackers as terrorists and criminalized participation in several groups including the Cyber Partisans and ByPol, according to the prosecutor general’s office. In March, Lukashenko expounded on the danger of cyberattacks. “We all tremble at nuclear weapons,” he said, “but cyberweapons are even more terrifying.”

As Belarus became involved in Russia’s mobilization for an invasion of Ukraine, ByPol grew hungry to undermine Lukashenko’s government by, for example, sabotaging signaling systems to slow down trains. The tactic has echoes of Soviet resistance fighters who undermined the Nazi regime during World War II by using explosives to blow up the tracks. “A lot of Russian ammo and weapons came to Belarus and goes through our territory to Ukraine, to kill Ukrainians,” says Azarau. “So we decided to wage a railway war.”

While ByPol’s operatives have used arson to carry out this strategy, he says, their allies could provide similar results by digital means.

The Cyber Partisans said they’d paralyzed trains in the Belarusian cities of Minsk and Orsha, as well as the town of Osipovichi. Sergei Voitehowich, a former employee of the state-owned Belarusian Railway company, acknowledges that the attacks didn’t stop Russia’s operations. But Voitehowich, who now helps operate an online forum for dissident railway workers and documents the damage caused by resistance groups, says that ByPol’s physical attacks on the rail network, combined with the Cyber Partisans’ digital attacks on its computer systems, disrupted the transport of Russian military equipment in Belarus for a week in March.

The Belarusian government refused to discuss the consequences of the January hack on the rail system, though Ivan Tertel, the head of Belarus’s KGB intelligence agency, has publicly complained about cyberattacks on infrastructure and said foreign adversaries knew who was responsible but had chosen to turn a blind eye. Lukashenko’s government never met the dissidents’ demands, opting instead to try to repair what damage it could or replace its infected equipment entirely.

Voitehowich questions how effective the recovery attempts have been. “Logistical systems are not working, information about transferring and moving trains is not available, and some internal documentation is not accessible,” he says. He estimates that 90% of the systems have been repaired, but that residual problems remain.

It’s not possible to independently verify these claims. But there has been evidence of disruptions. In March, Belarusian Railway posted a statement online saying it was opening 50 additional ticket offices to meet demand while it worked to restore its systems.

Unlike ByPol, the Cyber Partisans are determined to remain entirely anonymous, saying they fear for their safety given the violent record of the Lukashenko regime. Even their ostensible public representative, a Belarusian citizen named Yuliana Shemetovets who lives in New York City and appears at conferences on their behalf, says she doesn’t know their identities.

After several months of communication with Bloomberg Businessweek over encrypted chat channels, a member of the group agreed to a rare video interview, on the condition that he be allowed to remain anonymous and the technical details of the chat not be published.

The hacker sat silhouetted in a darkened room, wearing a hoodie. The Cyber Partisans’ red-and-black logo was projected on a large screen behind him. He used a device to disguise his speech, which only partially concealed what sounded like an Eastern European accent. The Cyber Partisans consist of about 60 people, he said, mostly Belarusian citizens with backgrounds in computers. Most of them work on tool development and data analysis, with only about 10 volunteers participating in the hacking operations the group carries out. He flatly refused to discuss his personal life in even the broadest ways, for fear of accidentally revealing details that could be used to identify him.

The nature of the Cyber Partisans’ operations have led to speculation that they’re a front for a government hostile to Lukashenko’s. In January, security researcher Juan Andres Guerrero-Saade wrote that government-backed groups can masquerade as hacktivists to give themselves plausible deniability and “to imbue their leaks with legitimacy not afforded by the obvious intervention of a government.” But he also determined that the Cyber Partisans had the characteristics of a “grassroots endeavor.”

In his video chat with Bloomberg Businessweek, the Cyber Partisan laughed off this suggestion, saying that the group isn’t financed or controlled by any government agency. “We’re still amateur hacktivists,” he said. “We’re just highly motivated and stubborn. If we had the budget of a government agency we would have carried out attacks every day and brought the terroristic regime of Lukashenko to its knees very quickly.”

What the Cyber Partisans do acknowledge is Putin’s war has broadened their goals—and helped them forge a new set of alliances with hackers in Ukraine. “Ukrainians are now fighting not only for their freedom but for the Belarusian independence as well,” the hacker said.

“I understand it’s war and we need to do this. But there was a point when it just felt it was becoming too dangerous”

The political hacking movement within Ukraine began building in earnest following Russia’s invasion of Crimea in 2014. The Ukrainian Cyber Alliance formed in 2016 to strike back against Russia and has a track record of carrying out successful data breaches. In 2016 and 2017 it claimed responsibility for compromising Russian Ministry of Defense servers and stealing and publishing emails from an adviser close to Putin, in addition to those of alleged Russian militants and propagandists.

At the time the Ukrainian government was ambivalent at best about much of what such groups were doing. Authorities accused the Ukrainian Cyber Alliance of hacking Odessa’s international airport and placing an offensive message about the environmental activist Greta Thunberg on an electronic display, and some of its members were scheduled to appear in court in February in connection with the incident.

The group denies involvement, but in any case the proceedings were postponed, and the hackers now say they’re working with the Ukrainian government as part of its call for a makeshift “IT Army” to help in the war effort. The volunteers have carried out targeted attacks on Russian banks and energy companies and also hacked Russian state media websites to counter the Kremlin’s propaganda.

The alliance between Ukrainian hackers and Belarusian dissidents has been a natural outcome of the Russian invasion, says the Ukrainian Cyber Alliance’s Baranovych. “We share something on Belarus of some use to them, and they helped us with accesses to Russian systems,” he says.

While there was a widespread expectation that Russia would carry out major cyberattacks against Ukraine as part of any invasion, the grassroots operations on the Ukrainian side have been a notable—and surprising—aspect of the conflict.

One European technology industry executive, who spoke on the condition of anonymity, says he joined the hacking effort in the early weeks of the conflict and worked with mobile phone network specialists to perform cyberattacks on the phones of Russian military officials, rendering them unable to make or receive calls. He demonstrated the technique for Bloomberg Businessweek, but its practical impact could not be independently verified.

The idea was to do anything that might slow the Russians’ ability to organize the invasion, he says. Later the hackers penetrated Russian phone networks and performed what’s known as a man-in-the-middle attack to intercept calls and messages. Fearing he was getting too deeply involved in an effort that could result in retribution, the executive pulled back from the hacking operation. “I understand it’s war and we need to do this,” he says. “But there was a point when it just felt it was becoming too dangerous for me to be part of it.”

The life of a professional revolutionary has been hard on Azarau. His Belarusian bank accounts were seized last year, and security agents in Belarus searched the home of his 68-year-old mother and confiscated electronic devices at her property in a village near Minsk. People who’ve called his mother by phone have themselves been subsequently visited by police. The harassment, which Azarau interprets as an attempt to punish him, has had a chilling effect on friends and family, who are now afraid to contact his mother, leaving her isolated.

He says he’s pretty sure he’s being followed in Warsaw as well. ByPol has identified Belarusian military intelligence agents who it says have traveled to Poland to infiltrate dissident groups. Earlier this year, says Azarau, a Belarusian spy was operating in Poland disguised as a refugee and had been tasked with “eliminating” ByPol’s leadership. Azarau recognized the man from his former police days, and ByPol subsequently exposed his identity online. The alleged spy fled a refugee center where he was living and left his passport behind. “Now nobody knows where he is,” Azarau says.

Lukashenko’s government has proved willing to go to extremes to fight its political opponents. Last year it caused international outrage when it forced a passenger plane to land in Minsk and arrested a dissident Belarusian journalist who’d been on board. Last August one prominent opposition figure was found hanged in a park in Ukraine. Police said they suspected the incident may have been a murder disguised as suicide. In April, news agency AFP reported that the Belarusian government said it had arrested four men whom it suspected of sabotaging train equipment. The announcement included video of gruesomely injured men lying on the ground. The government said it had shot the suspects because they were resisting arrest.

At the same time, the hacking and sabotage are putting “huge pressure” on Lukashenko’s regime, says Pavel Latushko, a former Belarusian ambassador and minister of culture who now leads an opposition group called National Anti-Crisis Management. In his office in central Warsaw, Latushko has five framed documents on his wall displaying criminal charges Belarusian authorities have filed against him, accusing him of involvement in terrorism, extremism, and conspiracy to seize state power—he jokes that he’s had seven charges filed against him in total, but he doesn’t have enough room. Lukashenko, he says, once personally threatened to strangle him.

Given the violence of the Lukashenko regime and the devastating Russian assault on Ukraine, Latushko says hackers like the Cyber Partisans should feel little restraint about how they hit back. “All activities under the movement of resistance are legal,” he says. “Everybody who can struggle against the occupation of the Russian Federation and the puppet government of Lukashenko—you can use all the instruments.”


This story was first published in Bloomberg Businessweek.