As the prospect of further Russian aggression in Ukraine looms, the Biden administration is concerned about Russian cyber operations against the U.S. and its allies. Yet as the White House engages with Moscow and builds out plans around these risks, it must watch an overlooked development in Russia’s near-abroad: growing cyber integration between Belarus and the Kremlin.
In November 2021, Mandiant published a report assessing with “high confidence” that the UNC1151 cyber group, which assisted the longstanding “Ghostwriter” campaign — stealing government credentials and spreading disinformation in Europe — is linked to the Belarusian government. It also assessed with “moderate confidence” that Belarus “is also likely at least partially responsible for the Ghostwriter campaign.”
Significantly, the report’s authors added: “We cannot rule out Russian contributions to either UNC1151 or Ghostwriter.”
The report raises the prospect that Belarus is engaged in cyber-enabled influence operations abroad, and the authors explicitly say that Moscow’s hand cannot be ruled out. However, events in the backdrop provide reason to be skeptical that Minsk is capable of sophisticated cyber operations independent of Russia. Both countries’ security and geopolitical aims likewise call into question the relevance of any distinction between demonstrated Russian cyber operations and putative Belarusian ones.
A Belarusian APT?
In July 2020, Mandiant published a report detailing an influence campaign, which began at least in March 2017, targeting Eastern European countries with anti-NATO and anti-U.S. information. Mandiant dubbed it “Ghostwriter.” The campaign was comprehensive, using compromised websites and spoofed email accounts to spread fake news articles, quotes, documents and other information — after which inauthentic online personas wrote articles referencing the material. While the report did not attribute Ghostwriter to a specific actor, it noted the campaign’s alignment with Russian security interests.
In April 2021, Mandiant published a second report on Ghostwriter, noting an observed “expansion of narratives, targeting and [tactics, techniques and procedures]” since July 2020. Among other developments, the report cited the hacking of Polish officials’ social media accounts to spread disinformation and assessed with “high confidence” that UNC1151, “a suspected state-sponsored cyber espionage actor,” was involved in at least some aspects of Ghostwriter. There was mention of Belarus — like the targeting of a Belarusian blogger and Belarus being a subject of some disinformation narratives — but nothing about Minsk’s involvement.
While the recent report asserts UNC1151 is linked to the Belarusian government and thus that Belarus is involved in Ghostwriter, there is strong overlap between Russian and Belarusian interests in the campaign. Anti-NATO disinformation and combined cyber and information operations fall well within Moscow’s purview. Further, the most recent Mandiant report says that UNC1151 “has not targeted Russian or Belarusian state entities. It has spear phished intergovernmental organizations dealing with former-Soviet states, but not their governments.” The report does not say whether or not UNC1151 targeted non-state actors in Russia, begging the question of whether it targeted Russian entities at all. Minsk certainly has no reason to run anti-NATO disinformation campaigns in Russia, but this targeting of entities outside Russia closely mirrors the Russian spectrum of continuous cyber operations — from state-backed operations to loosely tolerated ones that attack foreign targets and don’t undermine Kremlin objectives.
One noteworthy hint as to the architects of UNC1151 can be found in screenshots embedded in Mandiant’s report. A linguistic nod to Moscow’s historical colonialism toward Belarus likely also reflects its guiding hand in the Ghostwriter campaign: Cyrillic “allusions to Belorussiya” (the tsarist-era term used for the “white Russia” expanse of the Russian empire), vice “Belarus” (the term Belarusians have commonly used to refer to themselves, particularly since 1991).
Cyber capacity with the regime, or with the people?
Prior to the Lukashenko regime’s manipulation of the August 2020 elections and subsequent crackdown on his political opponents, relations between “Europe’s last dictatorship” and the West were slowly beginning to thaw. This dynamic reverberated in the Belarusian economy, most prominently in its tech sector. By the mid-2010s, over half a billion dollars in tech exports were pouring out of this “Eastern European Silicon Valley” — many of them destined for clientele in the United States and European Union. As these economic ties solidified, and as opportunities for young, tech-savvy Belarusians expanded, voters saw prospects for greater reforms.
However, as mass protests against the rigged election outcome were unleashed across the country, Belarusian security services — many officers of which defected to the oppositionists’ side — found difficulty containing the unrest. The Belarusian KGB, or BKGB, raided Yandex and Uber offices in Minsk, betraying some desperation in curbing protesters’ technical capacity to organize. Reports out of Moscow also indicated the Russian Federal Security Service (FSB) was lending a guiding hand.
Throughout the course of the next year, the Lukashenko regime’s thuggish security services found themselves continually humiliated by a band of hacktivists, dubbed “Cyber Partisans.” Staffed by disaffected officers and tech-sector dissidents, the group hacked and defaced state websites, pilfered internal databases of regime officials’ vehicles and passports, and leaked audio and video recordings of government malfeasance. The group’s exploits continued through 2021, feeding investigative insights into the corruption of the Lukashenko regime.
While not necessarily diagnostic, the Lukashenko regime’s apparent lack of technical prowess and degree of dependency on Russian counterparts to deal with domestic turmoil since 2020 appears incongruent with the degree of sophistication the Ghostwriter campaign entailed.
What’s yours is mine, by default
Building on the legacy of the Soviet-era KGB, the Lukashenko regime kept the bulk of the technological and bureaucratic infrastructure (including KGB nomenclature) in place. Subsequent agreements concluded under the auspices of the CIS — in which Russia enjoys a preponderance of influence — prioritized joint computer crime prevention in 2001 and have only intensified since then, culminating in a recent increase in law enforcement cooperation. This degree of compatibility between Russian and Belarusian security services thus increasingly blurs any meaningful distinction between them. Lukashenko himself noted this dynamic last summer, nodding to the “commonality” of their tasks.
Through a mixture of inertia and design, this “shared” sense of duty also extends to the cyber and digital surveillance domain. Moscow’s system for lawful intercept of telephony (and later, online traffic) — the System for Operative Investigative Activities, or SORM, orchestrated by the Russian Federal Security Service — was largely adopted and duplicated by Belarus, among other CIS member-states. In practice, this means Moscow’s “domestic” technical surveillance capacity likely encompasses Belarus in its entirety. Unlike U.S. and European analogs which enable companies to verify the validity of a wiretap order, SORM-related laws in Russia and Belarus compel service providers to install eavesdropping equipment; the associated warranty is classified. The outfitting, servicing and maintenance of the system is conducted by the same set of Russian contractors, some of which were recently consolidated into a near-monopoly under a holding company administered by Kremlin-linked oligarch Alisher Usmanov. SORM equipment, meanwhile, is marketed and installed by states throughout the globe.
That the burgeoning Belarusian tech sector became an immediate target of the Lukashenko regime during the 2020 uprisings, and that Moscow continues its concurrent push for tech indigenization, sends an ominous signal to Western firms outsourcing operations to the region (several of which have reportedly borne the brunt of major Russian cyber operations). Indeed, the prospect that Russian security services pilfer lucrative source code developed in Belarus — long before it reaches end-users in the West — should not be ruled out. Belarus may be not only a staging ground for cyber-enabled operations against foreign targets, but a valuable exfiltration-point for foreign technology development.
U.S. policymakers must recognize that growing cooperation and blurry distinctions between Russian and Belarusian security services will shape the cyber operations landscape. The Russian government already sends intelligence operatives overseas to launch cyber operations in and from other countries. Moscow has also set up front organizations in multiple other countries to conduct cyber and information operations against foreign targets. This report and other events are a critical reminder that dealing with Russian cyber operations may increasingly mean dealing with Belarusian involvement as well.
Gavin Wilde (@gavinbwilde) is a managing consultant at Krebs Stamos Group and a non-resident fellow at Defense Priorities.
Justin Sherman (@jshermcyber) is a fellow at the Atlantic Council’s Cyber Statecraft Initiative and a research fellow at the Tech, Law & Security at American University Washington College of Law.