Full Report
A recent Kaspersky report offers a rare glimpse into the alleged arsenal of politically motivated hackers waging a digital war against authoritarian regimes in Russia and Belarus.
Analysis Summary
# Threat Actor: Cyber Partisans
## Attribution & Identity
* **Identified As:** A Belarusian hacktivist group originally emerging after the August 2020 protests against Alexander Lukashenko's election.
* **Aliases:** Belarusian Cyber Partisans.
* **Associations:** Politically motivated hackers waging a digital war against authoritarian regimes in Russia and Belarus.
## Activity Summary
* The group has grown in size and sophistication since its emergence.
* **Key historical operations include:**
* An attack on the state-run Belarusian railway, which allegedly disrupted the supply of Russian weapons.
* Breach of classified servers at Belarus' Ministry of Internal Affairs, gaining access to internal communications.
* An attack on Belarus’ state-run fertilizer manufacturer last April, disrupting the energy generation facility, hacking security systems/surveillance, encrypting computers/emails, and wiping database/server backups.
* They acknowledged using wipers and sometimes employed ransomware in their operations.
* They intentionally conduct "noisy" operations, though they claim most current operations are classified.
## Tactics, Techniques & Procedures
* **Data Collection/Espionage:** Using the backdoor **Vasilek** to collect system information, including keystroke logs, application screenshots, and network infrastructure details.
* **C2/Data Exfiltration:** Transmitting stolen data and receiving commands via **Telegram messenger groups** instead of traditional C2 servers.
* **Disruption/Destruction:** Deploying data-wiping malware named **Pryanik**, which functions as a "logic bomb," activating at predetermined times to maximize disruption.
* **Operational Timing:** Frequently deploying malware overnight or early in the morning when IT staff presence is low.
* **Dispute over Wiping:** They dispute the claim that data is unrecoverable in wiper attacks, stating they exfiltrate critical data beforehand or use ransomware.
* **MITRE ATT&CK IDs:** Not explicitly mentioned in the text.
## Targeting
* **Sectors:** Government organizations, industrial organizations, state-run railway, state-run fertilizer manufacturer.
* **Geography:** Russia and Belarus.
* **Victims:** Belarus' Ministry of Internal Affairs, Belarusian railway, Belarus’ state-run fertilizer manufacturer.
## Tools & Infrastructure
* **Malware Families Used:**
* **Vasilek:** A backdoor for system information collection.
* **Pryanik:** Data-wiping malware/logic bomb.
* Ransomware (mentioned as used in some operations, specific name not provided).
* **Infrastructure:**
* Utilizes **Telegram messenger groups** for C2 communication and data transmission.
* No specific IPs or domains defanged were provided.
## Implications
The Cyber Partisans pose a significant, politically motivated threat focused on espionage and disruption against regimes in Russia and Belarus. Their use of non-traditional C2 (Telegram) and complex malware like timing-based logic bombs suggests increasing sophistication, challenging standard perimeter defenses. Their activities are inherently disruptive, targeting critical infrastructure elements like railways and energy facilities.
## Mitigations
* Monitor and analyze network traffic and system activity for communications leveraging instant messaging applications (like Telegram) for command-and-control data exfiltration.
* Implement robust endpoint detection and response capable of identifying custom or logic-bomb malware patterns (like Pryanik).
* Ensure comprehensive and geographically separated backups are maintained, tested, and protected against deletion/wiping actions.
* Review defensive measures against sophisticated insider threats or externally controlled logic bombs targeting predictable low-staff times (overnight/early morning).