Active Measures Playbook: Belarus Edition

The protests and reprisals that have been playing out in Belarus since the August 9th presidential election represent another chapter in Active Measures campaigns and election subversion. This post, which builds on our December post on Estonia and Montenegro, examines how Belarus follows the Active Measures script, how it differs, and potential impacts on other elections. We will focus on cyber influences – disinformation, censorship and networks. But first, some context on the country and its politics.`

About Belarus:  Belarus is an Eastern European nation of 9.5 million people bordering Russia, Ukraine and three NATO countries. Comparatively, it is slightly smaller than Michigan in population and Kansas in land area. Belarus is a long-time ally of Russia and member of the Commonwealth of Independent States (CIS) and the Collective Security Treaty Organization (CSTO) alliances. The country has a vibrant high-tech sector representing 5.7% of GDP and employing more than 55,000 in 2018. With more than 1.7 public IP addresses, Belarus is in the top-third of nations (72nd) in terms of Internet size, and is the first nation to make IPv6 mandatory for ISPs.

Politics: Belarus has been ruled by Aleksandr Lukashenko since 1994, and is commonly referred to as Europe’s last dictatorship. The results of the last election are contested and Lukashenko, who claimed victory and was sworn in to his sixth term on 23-September, is not recognized by the EU or the US. Lukashenko has long relied on strict censorship, human rights abuse, and material support from Russia to hold power. The stolen election and suppression of rights have sparked the current strife. While Belarus forces are the outward face of the  suppression, it is believed that Russia, seeking to avoid a replay of the Euromaidan 2014 revolution in Ukraine, is actively involved.

With this background, let’s take a look at some examples of active Russian disinformation, and Belarus censorship and network control.

Disinformation: As noted by EUvsDisinfo, a European media research organization that monitors pro-Kremlin disinformation, Belarusian media is tightly controlled by the state and relies on an extensive network of regional websites. Close to half of prime-time content on Belarusian TV is produced in Russia.

The query examples below – which are based on results from the EUvsDisinfo database of over 9,000 samples of pro-Kremlin disinformation since 2015 – illustrate the importance of the Belarus elections conflict to Russia.

In Figure 1 we see that interest in Belarus is high, relative to other search terms including Ukraine, Coronavirus, Vaccine, Trump and Biden.  As shown, ‘Belarus’ is nearly twice as strong as the next nearest term (Ukraine) and more than ten times as strong as the third (Coronavirus).

Shows the relative frequency terms - Belarus (115), Ukraine (60), Coronavirus (10), Vaccine (8), Trump (3), Biden (2)
Figure 1. Term Frequency

The database also provides categorization of results by county audience. The total number of results for the term ‘Belarus’ for the query period is 115. Figure 5 shows the top 5 country audience targets. The US is typically cast as an instigator. Mentions of Poland, Ukraine and Lithuania, are warnings to neighbors to not get involved.  

Countries Targeted by Russian Disinfo: Belarus - 115, US - 37, Poland - 37, Ukraine - 35, Lithuania - 20
Figure 2. Country Targeting

Figure 3, measuring the number of mentions per day over the reporting period, shows the intensity and persistence of interest in Belarus as a topic. On six days there were at least five disinformation posts.

Timeline showing frequency of disinformation posts from 8-Aug to 14-Sept 2020
Figure 3. Disinformation Frequency and Persistence

Joint research from the EAST Center and iSANS, think tanks specializing in Central and Eastern Europe, provide an authoritative list of 40 online resources which regularly publish disinformation, propaganda and hate speech directed at Belarus. Many of these sites have at least indirect connection to Russia’s Embassy in Belarus. In Figure 4 we see the results of our analysis based on correlation of these Website domains with domain and IP registration information. As shown, 53% of the sites are hosted in Russia.

Countries Hosting Disinformation Websites: Russia 53%, US 19%, France 16%, Belarus 3%, Other 3%
Figure 4. Countries Hosting Disinformation Websites

Censorship and Network Control: If there were a Hall-of-Fame for abusers of Internet Freedom, Belarus would be in it, based on its ranking as an ‘Enemy of the Internet’ by Reporters Without Borders every year since 2012. For the period 9-August to 27-September netblocks.org reports on multiple election-day disruptions, including the blocking of election information websites, media websites, anonymous proxy services, use of Deep Packet Inspection (DPI) to filter out key word searches, wide scale Internet blackouts, and cellular outages.

Using the BGP (Border Gateway Protocol) monitors in the LookingGlass ScoutVision platform (full disclosure – LookingGlass is my employer), we set up monitors for all 108 IpV4 Autonomous Systems (ASNs) that comprise the Belarus Internet. As further evidence of control, 44% of the ASNs in Belarus have a single upstream peer, meaning that they can easily be taken off-line by removing them from the routing tables. In Figure 5, we see a composite screenshot of the largest ASN in Belarus, AS 6697 Belpak (AKA Republican Unitary Telecommunication). As shown, we can see the removal of downstream peers from the routing table, some of which are single-peered. The Belarus government can order Internet shut-downs in in this manner.

 BGP Monitor for Largest Belarusian ASN, AS6697 showing removals of downstream ASNs
Figure 5. BGP Monitor for Largest Belarusian ASN

Another example of direct Russian involvement, reported by ZDNet, involves Google’s removal of a malicious app from Play Store which was reporting protestor geolocation information back to domains and IPs registered in Russia.

To recap, the Belarus election interference employs tactics from the Active Measures playbook – disinformation, network control, network spying, election-day network disruptions, and violence. We’ve seen these before in Ukraine, Montenegro, US 2016 and France 2018. If history is prolog, we should expect to see them again, soon.

Leave a Comment

Your email address will not be published. Required fields are marked *

Pin It on Pinterest