Cyberarms of Belarusian KGB

Investigation of charter97.org and electroname.com hacking before the new Year has yielded overwhelming results.

As it turned out, computers and private correspondence and conversations via Skype, email and social networks of some employees of Charter’97 editorial office (the computer of content administrator, who had access only to the admin console of charter97.org website), and also of some well-known Belarusian journalists, politicians, public leaders and activists were under clandestine control of Belarusian special services, electroname.com informs.

The Trojan network was controlled with the help of a few mail boxes; access to a few of them was acquired: boss.bigben@mail.ru and 123asqedws@mail.ru.

Analyses of the infected computers’ activities’ logs sent by viruses shows that special services illegally eavesdropped and spied on the editorial office of Charter’97, as well as Iryna Khalip, Maryna Koktysh, Syarhei Vaznyak, Pavel Marynich, Alena Novikava, Viktar Radzkou and many other people. There were attempts to infect computers of the Belarusian Association of Journalists, Dzmitry Laeuski, Ales Byalyatski’s lawyer, Vyachaslau Dziyanau (Dyyanau), a coordinator of “silent protest rallies”. It is not known whether the attempts were successful.

The network had been worked at least since July 2011. Then the first documented infection of one of the computers took place. Skype passwords were stolen (it allows to open Skype at another computer and read all the conversations of the user), as well as passwords of social networks, e-mails, and even passwords of access to internet-provider. The picture of the desktop with actions of the user was monitored, clipboard copying, texts typed in the text editors and messengers.

The attackers used three types of viruses: an already known virus of the KBG or RMS by TeknotIT, UFR Stealer – a virus infecting a computer through a USP stick, and Keylogger Detective. These are so-called “Trojans for schoolchildren”. They could be freely bought in Russian internet at a price of 20-30 dollars.

It has been possible to detect the Belarusian IP-address belonging to the viruses owners and the two email addresses. The address was stored in the sent and test emails in the both mailboxes. It is the same address as in the logs of attacks against charter97.org and electroname.com - 178.124.157.86. The IP-address was also recorded in the logs of email and servers at different dates, that is, it is a static address and is used constantly.

In other words, computers’ infecting, bugging and the cyberattack against the websites had been done by the same group.

Judging by the fact that Maxim Charnyauski, recruited by an overseer Dzima from the KGB, had been also given a task to infect the computer of Vyachaslau Dziyanau with the RMS virus by TeknotIT, one can reasonably suggest that it is a group of cyber criminals from the KGB.