This is the fourth of a series of reports on Central Asia, a region which is generally perceived as ‘closed’ in terms of Internet freedom, as it is being closely monitored by authorities and the use of Internet and communication technologies is restricted. This blog focuses on Belarus, a country that is tightening its Internet control, especially after 2011, out of fear for activists facilitating protests over the Internet, as could be seen elsewhere in the world.
Belarus is a country closely connected to Russia, depending mainly on the its natural resources and financial inflows. Belarus’ government tries to preserve the “Soviet Union culture” through its national economy and policies. However, it struggles to prevent the ‘Western influence’ from its European neighbors. After the election in December 2010, when people went to the streets to protest against the rigged election results which kept Lukashenko in power for a third term, clashes happened with police, which resulted in the persecution of many activists, and NGO’s got restricted in their activities. All these events increased the level of cyber threats for the civil society organisations.
The techniques of cyber attacks on websites and methods of surveillance on activists used by the government were implemented with particular ingenuity and guile. There are three major competing intelligence services: OAZ (Operative Analytical Centre at the President’s administration), MVD (Ministry of Internal Affairs) and KGB (Committee for State Security) were responsible for almost all attacks on civil society, online and offline. Belarus is also considered an ‘Enemy of the Internet’ by Reporters Without Borders, since 2012.
Almost 50% of the population has access to Internet in Belarus. As a result of the high level of censorship and surveillance in the country, many people are forced to be educated in cyber security technologies. There is a dedicated NGO located outside of Belarus, which provides deliberate support to the Belarusian NGOs aiming at enhancing their digital security. The organisation among others provides consulting services on cyber security issues, organises trainings for NGO employees and trainings of trainers.
Data acquisition by Belarusian intelligence services is omnipresent. Already in 2010 were operators obliged to provide free and round the clock remote access to the databases of subscribers. Alexander Lukashenko signed a decree on the introduction of SORM (System for Operative-Investigative Activities), which meant that all websites had to get officially registered, which became a responsibility of the providers.
Besides SORM, the intelligence services of Belarus occasionally attempt to use viruses and spying software for cyber surveillance over users and organisations. On the 13th of July 2011 a journalism student from Belarusian State University, Maxim Chernyavskiy, was summoned to local department of the KGB and interrogated for 5 hours. Maxim is the administrator of a community called “We are fed up with Lukashenko” (original Russian name “Надоел нам этот Лукашенко”), created in the Russian Vkontakte social network. After a standard ideological brainwash Maxim was forced to cooperate with the agency. During one of the meetings that followed, a KGB employee handed him a CD, containing spying software which Maxim had to install on the computers of a team of activists residing in Poland. Instead of fulfilling the received “instructions” Maxim simply left the country and gave the CD to specialists.
Analysis of the surveillance program on the CD shows that the tool looks a lot like Skype. The program is a self-extracting 7zip archive, which contains an installer of a commercially available program known as “Remote Manipulator System”. The developer of the software is a Russia based company called TEKNOTIT. The system tray icon of the program was replaced with a logo of Skype software, whereas the rest of the information about the file of the application reveals its actual producer as well as the name. Installation runs in a “passive” mode, especially featured by the developer for administrators of computer networks, who often need to massively distribute/install this software. Due to this fact, the program does not indicate installation process and does not ask users for any permission. After launch the program checks the Internet connection by opening the following link: http://rmansys.ru/utils/inet_id_notify.php?test=1. Later on the program starts to send information about the system, where it runs, to a server. This request contains an ID of the user, who registered the program. The following e-mail address is used as the user’s ID: firstname.lastname@example.org. The program allows to remotely control a computer, spy on the screen, access web camera, microphone etc. Subsequently the team managed to investigate further facts about the presence of this virus on the computers of Belarusian activists.
This ‘data theft’ program has been operative at least from July 2011. This is when the first documented infection of a computer occurred. During this attack the passwords from Skype (the software allows to start Skype on a remote computer and spy on the user’s communications), social networks, e-mail addresses and even from the account at ISP were stolen; the screen of the desktop, indicating all user’s activities, copies to the clipboard, text typing in text processors and messengers were recorded. The hackers implemented three types of viruses: the previously described KGB virus known as RMS, developed by TEKNOTIT; UFR Stealer, a virus infecting computer by using external flash drives and Keylogger Detective. These are the so-called “Trojans for schoolboys”. They can be easily purchased in RuNet for 20-30 USD. The reason for human rights activists to become such an easy victim of the intelligence services is the use of unlicensed software and the lack of attention to digital security at their working places.
The content filtering is widely implemented in Belarus. The first web resource blocking event occurred on the 9th of September 2001, when charter97.org website was blocked. Later the access to this Internet resource (organised and supported by opponents of current Belarusian government) was filtered/blocked for the users in Belarus in several ways. For example, there are claims, that users from Belarus when trying to access charter97.org were redirected to a website with a similar name, but in .IN zone. The fake website had an interface similar to the original, but contained false information. In January 2008 the blocking was conducted by limiting the connection speed to this particular website, thus the website could be accessed, but the connection was significantly slow.
On the 19th of December 2010 the encrypted SSL protocol (transmission control protocol, or TCP, port: 443) was blocked in Belarus. In 2011 LiveJournal was blocked due to the fact, that the popular blogging platform contained articles written by Evgeniy Lipkovich and directed to the Writers Union of Belarus. According to the official information, the reason for the blocking supposedly is “dissemination of information of destructive nature and violation of the State’s symbols”. Moreover, occasional blocking of Vkontakte social network continues. The network is being blocked every Wednesday during the so-called “Silent protest actions”. The websites goes back into operation after the action is completed. A community “Revolution via social network” as a virtual group located in Vkontakte initiated the silent evenings of applause – actions promoting economic and political changes in the country. The blocking was implemented based on the IP address of Vkontakte server and thus limited access not only to the community page, but also to the other information, blogs and pages.
In the middle of August 2012 the Operative Analytical Centre at the President’s administration (OAC) in cooperation with BELTELECOM blocked DNS-servers of DNS Made Easy LLC and by doing so disabled Belarusian Internet users to access many websites, including the world’s petition platform change.org. This website, for example, was used for campaigning in support of release of journalist Anton Suryapin and real estate broker Sergey Basharimov. Both of them were arrested by KGB on charges of abetment in crossing the border to Swedes, who disseminated teddy bears and posters in the support of freedom of speech in Belarus.
Other types of potential attacks and threats
DDoS attacks are frequently utilised to temporarily “jam” web resources of Belarusian NGOs, activists and opposition. There are several major websites (www.belaruspartisan.orgg, www.charter97.org and www.electroname.com), which are supported by opponents of the existing government, and are often under DDoS attacks of various types and strengths.
Besides DDoS attacks there are cases of hacking, interception and phishing attacks against groups/communities in social networks. After the election in December 2010 a number of social networks accounts (mainly in Vkontakte and Facebook) belonging to citizens of Belarus were hacked. The victims of trespassers were Internet users, who were spotted by the intelligence services during the demonstrations in Minks on the 19th of December, on the day of President’s elections. Users of these social networks reported their contacts from the network were on-line while being held by the police and kept in the police stations. The same day HTTPS protocol was blocked in Belarus, which led to blocking of Gmail and Facebook. The authorities simply blocked TCP port 443, which according to the claims of “Belarusian partisan” indicates their will to intercept passwords of the Internet users’ personal accounts.
Potential threats, possible ways of their escalation and suggested mitigation measures.
The digital security situation of NGOs in Belarus is heterogeneous today and depends on such factors as location and specifics of a certain organisation. In general one can say that understanding of the problem and necessity of protection is inherent for the majority of NGOs and media organisations located in the capital city. At the same time the situation is less promising for less urban NGOs. In more rural areas awareness level of the available protection toolset as well as detailed understanding of the issue is characteristic to only several NGOs and organisations. For those the key factors listed below are true:
– The employees have taken part in digital security training for NGOs;
– There is a hired competent technician;
– There are financial resources to follow the security protocol.
Nowadays many NGO employees in Belarus are over 40 years old, and have little knowledge on digital security. Many of those, who became victims of search and mass seizures after the elections in 2010, were within this category. According to interviews there was only one organisation, which managed to effectively move their equipment prior to the confiscation, leaving behind only a note showing a fig sign on the table.
Furthermore, as in the other CIS countries there is a problem of illegal software copies, used for paper work. Almost all of the NGOs use illegal copies of software in their work, which undermines digital security of users. The costs of even basic software packages (operational system + office software) are too high. Low level of competence of the majority of technical specialists engaged in NGOs does not allow using FLOSS to re-educate the employees.
The next Presidential elections in Belarus are scheduled for 2015. It is assumed that all types of threats for civil society, opposing the current government (not only opposition, but also other organisations and individuals, supporting fair and transparent elections), will escalate. This is also true for digital threats. Unfortunately, the opinion poll indicates, that the experience of repressive measures of 2010 and the their consequences (a large amount of information was retrieved from computers seized from NGOs and opposition organisations) was a strong motivation for digital security tools application only for a short period of time. In this connection it is recommended to support initiatives aimed at strengthening the level of protection of the main risk groups (NGOs, civil activists, human rights activists, and elections monitoring organisations).
This blog is made in cooperation with security experts in the region, and is entirely based on their findings.