Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Government
Belarusian Cyber-Partisans Claim New Year’s Weekend Attack Wiped Servers, Backups
Over the New Year’s holiday weekend, Belarusian hacktivists shut down the country’s leading state-owned media outlet, claiming they had wiped the main website servers and backups of BelTA. The group said its actions had been retaliation against President Alexander Lukashenko’s propaganda campaign.
See Also: Critical Infrastructure Cybersecurity & Risk Monitoring: Elections Infrastructure
The hacktivist group, which calls itself the Belarusian Cyber-Partisans, said in a Telegram post that it had hacked the internal network and wiped the backup and main website servers – including all accounting, workstations and archives – of the state-owned national news group called the Belarusian Telegraph Agency.
BelTA is the largest news organization of the country. It was created by the authoritarian regime almost a decade ago and includes content in Belarusian, Russian, English, German, Spanish, Polish and Chinese languages. All of the agency’s websites and domains still appear to be offline at the time of writing this article.
Neither BelTA nor the Belarusian Internal Ministry have released an official statement on the attack but local media confirmed the hack and website defacement operation in this message: “When there is no one to tell the Belarusians the truth, we tell it. We pass on New Year’s wishes from our volunteers through the official BelTa website.”
A search on the Internet Archive’s Wayback Machine shows attackers defaced a BelTA website with several messages – one claiming the “cyberattack on the computer network of the Belarusian Telegraph Agency.”
“Propagandists of the Belarusian Telegraph Agency are harming the Belarusian people along with punitive forces from the Ministry of Internal Affairs and Lukashenko’s special services,” the hacktivist group said in a post published on a publicly accessible website.
“All the years of dictatorship, they have been poisoning the minds of Belarusians with lies and manipulations to please the tyrant. For this, we are striking at the Belta computer network, paralyzing the work of pro-government propaganda websites and destroying backups,” the hacktivists said.
Retaliation Against ‘Freedom of Speech’ Oppression
The attacks are believed to be a retaliatory measure against Belarusian and Russian government restrictions on freedom of speech and a free press, including a ban on independent media houses such as Tut.by
and its spinoff zerkalo.io
.
In August 2021, a Minsk Central District Court, in response to a summons from the Ministry of Internal Affairs of Belarus, labeled the Tut.by and Zerkalo.io sites as “extremist.” The ruling banned the two news sites and their social media platforms. Authorities also prohibited anyone from sharing information from the media outlets. Violators could face jail time or fines.
Russia then banned independent news websites in the country on the first day of its Ukraine invasion, most likely because of its coverage of the war. Zerkalo’s coverage included “methods of warfare (attacks on civilians, attacks on civilian infrastructure), quantitative losses of the Russian armed forces and casualties among civilians,” which the Roskomnadzor – the Russian Federal Service for Supervision of Communications, Information Technology and Mass Media 0 deemed as “false information regarding the essence of a special military operation on the territory of Ukraine.”
Belarus ranks third among countries that jail journalists. Fifty-five journalists were imprisoned in Belarusian jails for at least 48 hours in 2023. “When a working journalist is imprisoned, the right to honest news and information of millions is violated,” tweeted Belarusian opposition leader Sviatlana Tsikhanouskaya. “We must honor the courageous journalists who risk everything to bring us the truth.”
More Details on the Hack
The Belarusian Cyber-Partisans said they launched the cyberattack on the morning of Dec. 29 in hopes that conducting it during the holiday weekend would make the hack a huge “success.”
The group explained that typically an attack on an organization’s internal network takes several weeks to months to develop. “But, according to our information, someone had previously tried to encrypt the Belta network, but did not complete the job. We knew that since then the ‘holes’ in the network had not been fixed, and we decided to take advantage of this,” the hacktivists said. They did not reveal the point of initial access.
Screenshots shared in the post show access to the HikCentral panel, which the Cyber-Partisans claim is “the internal pass system for employees of the Belarusian Telegraph Agency.” HikCentral is Hikvison’s professional series that provides modular platforms for common business applications including video, access control, attendance and more.
Hikvision did not immediately respond to Information Security Media Group’s request for comment. Hangzhou, China-based Hikvision Digital Technology Co. has often been in news for critical flaws in its products (see: Vulnerable Hikvision Cameras Exposed Online).
The hacktivists said BelTA employees did not comply with the basics of computer security and information hygiene. “For example, they used pirated software and systems” and thus “suffered heavy losses,” the hacktivists claimed. “When the admins were fussing and trying to put out the ‘fires,’ we calmly watched them and continued to overwrite the servers and interfere with their work.”
The attackers said they had stolen 90 gigabytes of data, including internal documents and accounting and personal data of employees.
The news agency is “virtually paralyzed” and “employees are forced to try to complete tasks from home computers,” the hacktivists said, but ISMG could not verify the claims. According to the hacktivists, “the authorities forbade BelTA employees from talking about [the] cyberattack.”
Opposing the Russia-Ukraine War
Lukashenko, a staunch ally of Russian President Vladimir Putin, allowed the Russian military to move through Belarus to stage the invasion of Ukraine in February 2022. In response, the Cyber-Partisan hacktivists targeted the Belarusian rail system to stop Russian troops’ artillery movement near Ukraine’s border. Yuliana Shemetovets, spokesperson for the Belarusian Cyber-Partisans, told Information Security Media Group at the time that the group had shut down the electronic ticketing system on the website (see: Hacktivists Hit Belarusian Railroad to Stop Russian Troops).
The hacktivists maintained persistence in the railroad network and initiated another attack a month later that targeted the traffic control system called the Neman dispatcher. The Belarusian government did not confirm any of these cyberattacks at the time (see: Update: Cyber Hacktivists Target Belarus for Supporting Russia).