How the Belarusian Cyber Partisans are fighting a digital war against two dictators

Avatar

It’s not common for hacker groups to have strong political leanings, but for the Belarusian Cyber Partisans, whose goal is to topple the authoritarian regime in their country, it’s more of a necessity than a choice.

The group is part of the broader opposition movement in Belarus, which gained global attention after the mass protests in 2020 against national election results that were rigged by the country’s Russia-backed dictator, Alexander Lukashenko.

The peaceful protests failed, leading opposition members to either flee the country, face imprisonment or stay in hiding in Belarus, facing constant threats from local law enforcement, known as “siloviki.”

The Cyber Partisans didn’t back down: They used digital campaigns and cyberattacks to undermine Lukashenko’s regime. Over the years, the Partisans’ skills have become sharper, and their name has earned the trust of prominent journalists and researchers. The group has even secured significant funding from donors, allowing some of its core members to quit their primary jobs and hack full-time.

Among the Partisans’ most successful operations are an attack on the state-run Belarusian railway, which reportedly disrupted the supply of Russian weapons to Ukraine; the breach of the classified servers of Belarus’ Ministry of Internal Affairs, with access to the department’s internal communications; and the exposure of the country’s true COVID-19 mortality rate and Lukashenko’s controversial vaccination policy.

Recorded Future News interviewed Cyber Partisan affiliates for the first time two years ago, but much has changed since then. They learned that fighting the Lukashenko regime required an expansion of their worldview. They are now collaborating with Western organizations and intelligence services in Ukraine, providing them with data obtained from hacked companies in Russia.

“It’s no longer just a struggle for the liberation of Belarus — it’s a war against the Russian Empire,” said Yuliana Shemetovets, the group’s spokesperson.

Helping Ukraine

Shemetovets is the only public face of Cyber Partisans. The rest of the group — 30 core members and nearly 70 volunteers, according to her — work anonymously for security reasons. And much of what they achieve occurs out of the public eye, Shemetovets said. This includes her own trips to Ukraine and meetings with local security services to discuss what data Belarusian hacktivists can provide to help Ukraine’s military efforts.

The first publicly reported case of this collaboration was the Partisans’ attack on a sanctioned Russian company involved in the development of military equipment used against Ukraine, including Orlan drones and electronic warfare systems.

The hackers said they gained access to the company’s internal correspondence, employee data and locations of military training sites. This data was then handed over to Ukrainian intelligence.

Ukraine’s cybersecurity officials recently acknowledged that the intelligence they obtain during cyberattacks aids the ground operations of the armed forces. Sometimes, they credit local hackers for seizing this data, but Ukraine has never publicly admitted that it is working with Belarusian hacktivists. In response to a request for comment from Recorded Future News, Ukraine’s security service, the SBU, said that it will disclose data regarding operations after winning the war.

To maintain the trust of Ukrainian authorities, the Cyber Partisans rely on the reputation they’ve built over the years, according to Shemetovets. The hacktivists are known for collaborating with investigative journalists and researchers, such as those from Bellingcat and Belsat. “They verified the authenticity of the data we provided,” Shemetovets said.

According to Belsat journalist Julia Cialpuk, the Cyber Partisans provide them with large databases containing evidence of crimes from Lukashenko’s regime.

Among the recent leaks is accounting information from Belarus’ state-owned national news agency BelTA — the “mouthpiece of Lukashenko’s propaganda,” Cialpuk said. Belsat has not yet reported on that leak. The data dump includes details about more than 2,000 employees, agreements with contractors, salaries, and bonuses received for working with political content.

The information provided by the Partisans has, among other things, helped expose the identities of the siloviki, who have terrorized the Belarusian people. The hacktivists “de-anonymize the crimes of the regime,” Cialpuk told Recorded Future News.

“The dictator promised his loyal servants that he would protect them from the opposition,” Cialpuk said. “For those who thought they went unnoticed, we have bad news — there are terabytes of information about you,” she added.

The Cyber Partisans also teamed up with the Kastus Kalinouski Regiment, a collective of Belarusian opposition volunteers established to fight on the ground in Ukraine during the Russian invasion. The hacktivists help the regiment to vet volunteers and also share information that the regiment can use in its military operations, or pass on to Ukrainian special services.

The Belarusian opposition supports Ukraine for both moral and strategic reasons, according to Shemetovets. “We have a common enemy,” she said.

For centuries, Belarus’ economy depended on Russia; the Russian army is stationed there, and Belarusian territory was used to launch missiles against Ukraine. Russia is also actively suppressing the Belarusian native language and culture as part of its Russification policy.

“The first step to liberate Belarus is to help Ukraine win this war,” Shemetovets said.

Weakening Belarus’ regime

Sustaining a democratic revolution in Belarus is not easy. Opposition activists living in exile risk imprisonment upon their return, while those who remain in the country fear retribution from the siloviki.

“We have an information war and it may be our main battlefield,” said exiled Belarusian opposition leader Sviatlana Tsikhanouskaya in an interview with Recorded Future News in February.

Shemetovets admits that the Cyber Partisans’ capabilities for a real revolution are limited.

“If you try to do something inside Belarus right now, you have to think about how it will help Ukraine, how the Russian regime will react to it, and whether it is weakened enough not to send its troops into Belarus,” she said.

Every decision, then, has to be focused on the main goal of overthrowing the dictatorship.

“We try to prioritize things that will really make a difference,” Shemetovets said.

Cyberattacks on Belarusian state services, for example, can trigger a “cleansing” inside the system, as the regime will be searching for insiders. “This creates instability,” Shemetovets said.

“We also always think about how our attacks will affect the citizens of Belarus, because we still fight for their hearts and brains and try as much as possible not to affect people who are not directly connected to the regime,” she added.

That carefulness extends to data about ordinary people that the Cyber Partisans might exfiltrate during operations. The group does not hesitate to disclose information related to Lukashenko, his allies or local spies, however. “They chose their path and serve an illegitimate criminal regime,” Shemetovets said.

In 2021, Cyber Partisans disclosed the personal data of officers from the Belarusian state security service, the KGB. The head of the service admitted on state television that there had been “hacker attacks on personal data” and a “systematic collection of information,” which he attributed to the efforts of “foreign special services.”

“Identification of spies is an important part of our work, because it affects both Belarusian and European organizations,” Shemetovets said.

Hacking and leaking

Cyber Partisans have two approaches to working within a victim’s internal network, which are similar to real military operations.

One of them is sabotage attacks: “You get inside the network, perform your tasks, and leave quickly, dropping “cyber bombs” that you can activate later. If you manage to hide the malware in the system without detection, that is already considered a successful sabotage,” Shemetovets said.

The other approach is a tactic the group calls “holding the front line,” or what cybersecurity analysts refer to as “persistence.” It’s less complex and dangerous than direct sabotage.

“In our case, it means keeping all access to the systems,” while staying undetected and gaining more privileges, she added.

Cyber Partisans said they gain new access to systems every day. “If we take a week off, there is a probability that we will lose some of these accesses, and therefore our front line will decrease,” Shemetovets said.

“We need to have as large a front line as possible and constantly maintain it: extract data, and obtain new access that can be used at a critical moment.”

Caution is important. Sometimes the Cyber Partisans wait a year after an attack to disclose it, as a way of hiding their methods.

“We have a lot of data and spend a lot of resources to keep it secure,” Shemetovets said. Access to the data inside the group is also limited.

“I personally do not have access to it, for the sake of security, so that if I am kidnapped somewhere in Europe, the regime would not have access to this information,” she added.

There have been instances where KGB agents posed as IT experts to infiltrate the group. That’s why new members undergo a multi-level verification process that can take up to six months, according to Shemetovets.

The Cyber Partisans also do not disclose what digital tools they use.

In a recent report by the Russian cybersecurity company F.A.C.C.T., researchers said that the Cyber Partisans used an unknown encryption virus in at least two attacks on Russia and Belarus last year.

Shemetovets said that the group usually takes well-known tools and reworks and customizes them for their own use.

Going political

The Belarusian opposition has its own nongovernmental body called the Coordination Council, created by Tsikhanouskaya back in 2020 to facilitate a democratic transfer of power in Belarus.

Currently, opposition forces are preparing for the election of members to the council, and the Cyber Partisans hope to have a voice there.

“We believe that it makes sense to participate in these elections because it is a platform that can unite various opposition forces and involve Belarusians in the political agenda,” Shemetovets said.

However, as politics require transparency and hacktivists cannot disclose their names, she would most likely be their sole representative.

The group does think deeply about its relationship to politics, though. When asked what the Cyber Partisans prefer to be called, Shemetovets’ response was a “digital resistance group” rather than “hacktivists.”

Even if the goal is achieved, and Belarus is liberated from Lukashenko’s control, Shemetovets hopes that Cyber Partisans will be involved in the country’s politics, helping to reconstruct and secure Belarus’s “faulty” systems or even working in intelligence.

“Any modern state’s special service has cyber intelligence, and the military has a cyber army, so I think some of our members will be involved in this. With their experience and the capabilities they have developed over the years, they can make a significant contribution to this field,” she said.

Meanwhile, the war in Ukraine has entered its third year, Lukashenko is still ruling Belarus, and he has announced his participation in the 2025 presidential election.

Inside Belarus, people are threatened and arrested for supporting the opposition or reading independent media. Even Shemetovets, who now lives in the U.S. and works for a nonprofit that helps Holocaust survivors, admitted that sometimes she’s afraid.

“Sometimes you can wake up at night because it seems that someone is knocking on the door and they have come for you,” she said. “But you can work with this fear.”

“Constant activity and understanding the importance of what you are doing help you overcome fear and powerlessness.”

PeopleNation-stateNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

British authorities have never detected a breach of ransomware sanctions — but is that good or bad news?

Next Post

Belgian village whose brewery was hit by cyberattack faces another on its coffee roastery

Related Posts

Google Warns: Android Zero-Day Flaws in Pixel Phones Exploited by Forensic Companies

Google has disclosed that two Android security flaws impacting its Pixel smartphones have been exploited in the wild by forensic companies. The high-severity zero-day vulnerabilities are as follows - CVE-2024-29745 - An information disclosure flaw in the bootloader component CVE-2024-29748 - A privilege escalation flaw in the firmware component "There are indications that the [
Avatar
Read More

Meta Details WhatsApp and Messenger Interoperability to Comply with EU’s DMA Regulations

Meta has offered details on how it intends to implement interoperability in WhatsApp and Messenger with third-party messaging services as the Digital Markets Act (DMA) went into effect in the European Union. “This allows users of third-party providers who choose to enable interoperability (interop) to send and receive messages with opted-in users of either Messenger or WhatsApp – both designated
Avatar
Read More