The Washington PostDemocracy Dies in Darkness

Cyber hacktivists are busy undermining Putin’s invasion

Here’s what we know about one group

In Moscow, amid a hack of Smart TVs in Russia, a message appears on screen May 9: “There is blood on your hands from thousands of Ukrainians and hundreds of their murdered children. TV and government are lying — Say No to War.” (Image obtained by Reuters) (Images Obtained By Reuters/Via Reuters)

Hacked TV and Internet coverage of Monday’s Victory Day celebrations were an embarrassing disruption to displays of patriotism in Russia, marking the latest anti-Putin cyberattacks. Since Russian forces invaded in February, a “cyber proxy war” over Ukraine has been ongoing. The Ukrainian government, for instance, called on volunteers to join the “IT Army” in the fight against Russia.

It’s not clear who planned and executed the hack of Russia’s annual celebration of victory in World War II. But our research sheds some light on “hacktivists” in general, and their motivations.

We’ve been tracking the activities and statements of one group in particular — a Belarusian hacktivist group calling themselves the Cyber Partisans. This group has claimed responsibility for several major cyberattacks, including a high-profile operation against the Belarusian railway system that reportedly halted Russian ground artillery and troop movement into Ukraine.

What are the rules of war and how do they apply in Ukraine?

However, the Cyber Partisans are more akin to a digital resistance movement than a “cyber proxy” like the Ukrainian government-backed “IT Army.” The group does not appear to be acting as an intermediary for another government’s interests, and has a history of independent operations against the government of Belarus.

With an extensive online presence, the Cyber Partisans also differ from other nongovernmental hacking efforts supporting the Ukrainian resistance during the war, such as Anonymous or Squad303. Though many Cyber Partisan claims remain unverifiable, the available evidence suggests that this is a small group of closely linked individuals with a strong connection to Belarus.

Who are the Cyber Partisans?

The group formed in September 2020, following the contested presidential election in Belarus and the ensuing protests — and harsh crackdowns by the government of longtime president Alexander Lukashenko, who claimed victory in the contested election. The group is one of three arms of the “Suprativ” collective, a larger anti-government resistance movement. The group’s members are former IT professionals, many of whom may be living in Belarus.

The group reports to have doubled in size from 15 members in late 2021 to 30 members in early 2022, with several new members joining since the beginning of Russia’s war in Ukraine. A handful of people reportedly are responsible for conducting cyber operations, supported by several others who help with more mundane tasks, such as registering online accounts. Most members reportedly focus on other efforts to support government opposition, such as helping protesters in Belarus use encrypted communications channels.

Is there a difference between ‘defensive’ and ‘offensive’ weapons?

The Belarusian government remains the primary target

The Cyber Partisans undertake a large number of “doxing” activities in Belarus — making public the private information of government officials in Belarus, as well as intelligence and riot police officers. The Scorching Heat (КО Жара) campaign, which ran from June to November 2021, released a wide range of government data, reportedly obtained by hacking the Belarus passport system and traffic police database, along with a database of violations maintained by the Department of Internal Security of the Interior Ministry, the Interior Ministry’s video database, and the video surveillance system of a government detention center.

Other disruptive attacks by the Cyber Partisans include defacing government websites and television channels and deleting databases of the Belarusian Academy of Public Administration (Lukashenko’s training ground for government officials).

But the hack that targeted the Belarusian railway has gained the most international attention. The Cyber Partisans claimed to put the train traffic control systems in Minsk and Orsha into a “manual control” mode to “significantly slow down the movement of trains, but not create emergency situations.” This hack appeared to disrupt the transport of Russian troops and military equipment heading to Ukraine.

In addition to these activities, the Cyber Partisans provided technical support to the Belarusian resistance movement. For example, during the 2020 protests against the Belarusian president, the group shared three links to proxy servers via its Telegram account to the protesters marching in the streets, offering the protesters secure communications.

The group also develops new tools to provide secure channels of communication. It announced an encrypted SMS app for protesters to communicate securely — and without an Internet connection. And they developed a secure Telegram app called “Partisan Telegram.”

Collaborating with other activists

The group has maintained a narrow focus, stating that actions and collaborations are strictly intended to produce “operative effects” on Belarusian territory and infrastructure. Thus the Cyber Partisans don’t participate directly in the Ukrainian IT Army’s activities, or execute operations outside of Belarus’s borders. The group has, however, been sharing best practices about the targeting of Russian forces.

The group owes much of its successful targeting — a major issue for other hacktivist groups — to its partnership with an organization of former Belarusian government officials, ByPOL. Launched in October 2020, ByPOL aims to “unite hundreds of incumbent and former security officers looking to restore the rule of law and order in Belarus.”

Sending a clear and global message

The Cyber Partisans have set up various communication channels to showcase their activities. Official Cyber Partisans channels on Telegram, Twitter and YouTube, for instance, feature regular updates on the group’s work.

Check out all of TMC’s coverage of the Russia and Ukraine crisis in our new topic guide: Russia and its neighbors

Unlike most other hacktivist groups, the Cyber Partisans have a designated spokesperson. Based in New York City, Yuliana Shemetovets gives interviews to explain the rationale behind their operations and the group’s broader campaign goals. She says that she does not know the identities of the Cyber Partisans but receives updates and instructions through encrypted messaging.

The Cyber Partisans have also collaborated with other media channels. One high-profile collaboration has been with Bellingcat for its report on “Wagnergate,” a Ukrainian sting operation that led to the arrests of Russian mercenaries in Belarus. Cyber Partisan efforts also supported a CurrentTimeTV expose of government undercounting of covid-19 infections and death rates for Belarus.

What we do not know

At this stage it’s not possible to determine the full impact of these types of cyber operations, or the effectiveness of other hacks aimed at embarrassing the Russian military. And while there is a great deal of public information about the Cyber Partisans’ activities, the potential cross-border nature of cyber operations helps conceal hackers’ identities and targets. But one clear takeaway from the flurry of recent cyber operations is that no country — or military — may find it easy to shut down nongovernmental hackers.

Don’t miss any of TMC’s smart analysis! Sign up for our newsletter.

Max Smeets is a senior researcher at the Center for Security Studies (CSS) at ETH Zurich, director of the European Cyber Conflict Research Initiative, and author of “No Shortcuts: Why States Struggle to Develop a Military Cyber-Force” (Oxford University Press, 2022).

Brita Achberger is the fellowship manager at the European Cyber Conflict Research Initiative.