Accessibility links

Breaking News

Seeking Change, Anti-Lukashenka Hackers Seize Senior Belarusian Officials’ Personal Data

The logo of Belarus' Cyberpartisans hacker group features red and white, colors used by the Belarusian opposition.
The logo of Belarus' Cyberpartisans hacker group features red and white, colors used by the Belarusian opposition.

They describe themselves as “apolitical” hackers who want to end Belarus’ “terrorist” regime and ensure equal rights for all. But the actions of Cyberpartisans, a group of Belarusian hackers who claim to have secured access to the passport data of millions of Belarusians, raise questions about how Alyaksandr Lukashenka’s opponents interpret the right to privacy.

To prevent officials and other government employees allegedly responsible for flagrant rights abuses against ordinary Belarusians from hiding behind a cloak of anonymity, the Cyberpartisans say they targeted several Belarusian Interior Ministry databases in what they claim is the largest cyberattack in Belarus’ history.

Their stated goal is “to disrupt” the work of the security organs and others they see as propping up the 66-year-old Lukashenka’s de facto rule. Their hope is that the seized data, some classified, could lead to a “Moment X,” a wave of rallies that would overthrow the government.

While refraining from naming an exact number of files, the hackers claim to have obtained classified passport records for the Belarusian security forces’ leadership, members of Lukashenka’s inner circle, plus State Security Committee (KGB) employees, including intelligence officers operating in the European Union.

On July 26, the group’s Telegram channel teased passport data for KGB Chairman Ivan Tertel; Central Election Commission Chairwoman Lidiya Yermoshina; the chairwoman of the upper house of parliament, Natallya Kachanova; and ex-Kyrgyz President Kurmanbek Bakiyev, who has lived in Belarus since his 2010 overthrow from power. Belarusian passports are used both as a domestic identity document and for external travel.

A Cyberpartisans tout for information related to ex-Kyrgyz President Kurmanbek Bakiyev, a resident of Belarus
A Cyberpartisans tout for information related to ex-Kyrgyz President Kurmanbek Bakiyev, a resident of Belarus

Each individual’s dossier, the hackers claim, contains passport photos and data; his or her residence permit; the name of the government body or military unit for which the person works; the names of family members, “and so on.”

“Will many KGB agents be ready to operate abroad, knowing that data about them has already leaked?” one of the hackers asked rhetorically in a bot-assisted Telegram chat with Current Time.

Aside from passport data, the Cyberpartisans claim to have accessed the records of the Belarusian traffic police, which the hackers say include information on registered cars for the KGB, the anti-corruption police, and tsikhary (“silent men”), masked muscle men in plainclothes known for brutally rounding up suspected protesters.

“At a minimum, they’ll all have to change their transportation,” commented the anonymous hacker, who used the name Cyber-Partisan. “But more important is that the operatives will know that such a leak can totally be repeated.”

Information was also seized about the KGB’s housing assignments, Cyber-Partisan added, which means “they’ll have to change all the apartments.”

He likened the operation, code-named Zhara (Heat), to an action thriller. The group “had to penetrate the regime’s facilities and open up access to the Interior Ministry’s internal computer network” before entering “several databases,” the hacker recounted.

Belarusian digital security expert Nikolai Kvantaliani, who says he has examined the documents obtained, does not question that the acquired information will impact Belarus’ security forces.

“This can all be a restraining factor for the continuation of active violence against citizens of the Republic of Belarus,” commented Kvantaliani, an employee of the Belarusian National Platform – Eastern Alliance Partnership Civil Society Forum, which promotes European Union integration.

A spokesman for the hacktivist group Ukrainian Cyber Alliance, the oldest such group in the former Soviet area, was surprised by the scope of his Belarusian colleagues’ work.

“Intelligence, counterintelligence, and KGB employees who have special notes (indicating their occupations) in their passports are completely compromised,” said Andriy Baranovych. “And activists, partisans got the data, not the special services. And now the people who are the backbone of the Lukashenka regime will not feel safe.”

The Belarusian authorities have not yet commented specifically on the cyberattack.

Belarus’ KGB and the company that built the Interior Ministry’s passport database, Todes, did not respond to Current Time’s questions about the attack.

On July 30, however, KGB Chairman Tertel advised regional officials that “destructive forces” connected with “foreign special services” are using IT to secure personal data about the country’s leadership, “security forces, and other government organs,” the state-run TV channel Belarus-1 reported.

Officials’ relatives studying in Poland, Lithuania, “other Western countries,” and Ukraine also have been targeted “in a search for leverage,” Tertel warned.

Belarusian KGB Chairman Ivan Tertel addresses Belarus' parliament on May 26, 2021.
Belarusian KGB Chairman Ivan Tertel addresses Belarus' parliament on May 26, 2021.

But Is The Hack For Real?

If the Cyberpartisan attack is confirmed, reckoned Baranovych, it would rank as “the most major and successful hack” of a government computer system since 2015, when Chinese hackers stole the records of up to 4 million federal employees from the U.S. government’s Office of Personnel Management.

To verify the Cyberpartisans’ claim of having hacked Belarus’ passport database, Current Time submitted to the hackers the names and dates of birth of two Belarusian citizens, who agreed to the information’s release.

After a few minutes’ search in their alleged data trove, the Cyberpartisans sent the two Belarusians’ complete passport details, their official places of residence and work, and also technical information -- for example, that one passport no longer has the space to affix visas.

The hackers also sent information about the parents of one of the Belarusians and four high-resolution photos for the passport of the other. The photos were taken over several years and, according to the passport holder in question, had never been published online.

Professional hackers did not acquire such information, according to Cyber-Partisan. Rather, the Cyberpartisans group is made up of “a small core of admins, and another 10-15 volunteers” from the IT sector who are “working for an idea,” he said.

Cyber-Partisan pledged that his group would not touch data about Belarusians not working for the government. “We understand data security,” he said. “We’re saving everything in an encrypted format on a separate server that’s isolated from the Internet.”

The Cyberpartisans took shape in September 2020, as Belarusian anger rose about documented cases of police violence against anti-Lukashenka protesters and reported cases of torture in detention centers.

The activists hacked the websites of state-run Belarusian TV channels and released online footage of detentions. On government sites, they urged viewers to attend the protests and disclosed the names of law enforcement officers who, in their opinion, took part in torturing detained demonstrators.

The Cyberpartisans make up part of a recently formed, anti-Lukashenka movement called Supratsiy (Resistance) that also contains two other activist groups: Busli Lyatsyats (The Storks Are Flying) and Druzhin Narodnoi Samooborony (The People’s Self-Defense Brigade).

Cyber-Partisan alleged that individual members of these two groups formerly worked for Belarus’ security forces and have experience in special operations and intelligence-gathering.

The government has designated the Telegram channels of Busli Lyatsyats and Druzhin Narodnoi Samooborony as extremist.

Rule Of Law Or Rule Of Fear?

Online “de-anonymization” campaigns to unmask the identities of government employees allegedly involved in illegal activities against Lukashenka’s critics began soon after protests against the alleged rigging of Belarus’ presidential elections erupted on August 9-10, 2020.

One of the most prolific Telegram channels for these campaigns is the Black Book of Belarus. Most recently, amid the scandal over the Belarusian Olympic Committee’s reported attempt to force sprinter Krystsina Tsimanouskaya to leave the Tokyo Olympics, the Black Book of Belarus released personal data for the two men it claimed had taken Tsimanouskaya to the airport – Belarusian National Olympics Committee Department of International Relations Director Vasil Yurchik and Republican Olympics Training Center for Track and Field Deputy Director Artur Shumak – as well as for the head coach of the Belarusian track and field team, Yury Moisevich.

The consequences of such revelations are not clear, but international accords condemn such breaches as violations of the human right to privacy.

Under Belarus’ Criminal Code, unauthorized access to computer information is punishable with up to 2 years in prison; the use of malware carries a prison sentence of up to 10 years.

But the Cyberpartisans do not appear concerned.

Referring to Lukashenka, the group has placed responsibility for “all consequences” of their cyberattacks on “the tyrant and his punitive structures.”

Critics of Lukashenka often see these attacks as a way to secure some form of justice against violent security forces and prison personnel who usually escape prosecution for abuses.

“[N]ow, the protesters have equal chances [as the security structures]– both sides possess a pretty large volume of personal data about the Republic of Belarus’ citizens,” commented Kvantaliani.

The opposition appears to believe that the supposed ends of such breaches justify the means.

In September 2020, former presidential candidate Svyatlana Tsikhanouskaya, whom many Belarusians view as the country’s legitimately elected president, warned that security agency employees violently detaining protesters “should remember” that “Belarusians are ready to de-anonymize those who carry out criminal orders.”

She does not appear to have addressed the Cyberpartisans’ latest operation.

But even before the attack, some Telegram channels had made plain that those sympathetic to Lukashenka can respond to de-anonymization in kind.

Can The Government Strike Back?

Several pro-government Telegram channels in Belarus recently have published a list of Belarusian entrepreneurs who, the channels claim, negotiated with the Latvian and Lithuanian governments about moving their businesses to Latvia and Lithuania from Belarus.

The 18 entrepreneurs named call this a scare tactic by the Belarusian authorities. As anti-government hackers do for their own targets, information about the entrepreneurs’ family members also has been published.

Listed entrepreneurs with corporate branches in Minsk worry that any police retaliation for their moves could also hit their Belarusian employees or business partners, commented one such entrepreneur, who requested anonymity.

Latvia, Belarus’ northwestern neighbor that already houses a sizable Belarusian refugee community, claims that 15 Belarusian companies have moved their production facilities and around 1,000 employees to the European Union member’s territory. But the names of the companies, their owners, and investors have not been made public.

The Latvian authorities are now trying to clarify the source of the data leak of data about the Belarusian businessmen and their family members.

“We’ve run an internal investigation. The data leak was not from us,” stated Reinis Azis, the deputy director for investment at Latvia’s Agency of Investment and Development. “We wrote the [Latvian] State Security Service. They’re conducting their own investigation.”

To protect Belarusian entrepreneurs’ personal information, the Agency now recommends that they “work directly with us,” without intermediaries, so that “no more data will drift away,” Azis said.

Defending Digital Security

Drifting data from the Cyberpartisans’ own hack concerns Ukrainian hacktivist Baranovych. He hopes that no further such data leaks will occur.

“All Belarusian citizens are in a database, and not just the regime’s flunkies,” he commented. “Ordinary people can suffer if there’s a leak [of the Cyberpartisan database] by fraudsters.”

Information about Belarusians’ passports, residence permits, places of work, bank accounts, telephone numbers, criminal records, and much else can be purchased on the darknet for just $50, Current Time confirmed.

Underlining the need for the Cyberpartisans to use their hacked data “carefully,” Belarusian digital security expert Kvantaliani concedes that the information could be sold for use in advertising campaigns or to cybercriminals.

Ultimately, however, Kvantaliani does not question the hackers’ stated intentions “to use this database for their own goals” – namely, to spark protests that could lead to Lukashenka’s downfall.

“[G]iven that the Cyberpartisans have definite, declared goals, we trust them for now,” he said.

Regardless, the group plans to persist with its hacking. “We’ll continue to keep on working so long as they (the government) can’t get us out of the network,” pledged Cyber-Partisan.

Editor's Note: This story was written by Current Time English Editor Elizabeth Owen based on reporting by Current Time Digital Editor Andrei Soshnikov, Baltics correspondent Marija Andrejeva, and Evening newscast anchor Iryna Romaliiska.

Correction: This English text earlier stated that the Belarusian government had recognized all of the Supratsiy groups' Telegram channels as extremist.
In fact, the Cyberpartisans' Telegram channel has not been labeled extremist.