A new wave of Hacktivists is turning the surveillance state against itself

Images and videos from oppressive regimes’ surveillance systems are being leaked in a new surge of suspected hacktivism that uses states’ own panopticons against them. 

This escalation—including leaks involving images from inside prisons in Iran and Belarus—draws on some of the same themes as earlier hacktivist efforts, but suggests a new level of technical and strategic sophistication among groups.

“What is different is the depth and breadth of what they’re doing,” said Gabriella Coleman, a professor at McGill University whose work focuses on digital activism and hacking communities, describing it as a potential “watershed moment.”

The way the groups appear to have leveraged governments’ own tools of oppression to uncover abuse also highlights one inherent vulnerability for government officials who pursue an all-seeing Big Brother: their surveillance systems may also capture and ultimately help expose evidence of their own misconduct. 

This week a group going by the name of Adalat Ali (or “Ali’s Justice”) shared videos of abuses within Iran’s Evin prison—a detention center notorious for housing political prisoners on the outskirts of Tehran—with journalists at Radio Farda (Radio Free Europe), Iran International, and the Associated Press.

The released footage included a clip appearing to show prison officials realizing their system was hacked—with a wall of displays transitioning from apparent surveillance footage from within the prison to displaying messages in Farsi: "Cyberattack" and "General protest until the freedom of political prisoners." 

It also featured videos of guards beating prisoners.

The video evidence resulted in a rare apology and acknowledgement of abuse from the head of Iran’s prison system, the Associated Press reported.

A similar campaign is ongoing in Belarus, where a group known as the Cyber Partisans has been waging a digital battle for a year against Alexander Lukashenko—the country’s dictator who has claimed its presidency since 1994 and is known for overseeing one of the most brutal police states in Europe. (For example, he used a fake bomb threat and sent a fighter jet to intercept a commercial airliner carrying the co-founder of opposition media outlet NEXTA in May, forcing the plane to land so the person could be detained.)

Lukashenko’s Russian-aligned regime has been in crisis with waves of public unrest met with brutal force since the Aug. 2020 Presidential election, which international observers described as essentially… not an election. In a report reviewing the election on behalf of the Organization for Security and Co-operation in Europe, Professor Wolfgang Benedek concluded:

“[T]here is overwhelming evidence that the presidential elections of 9 August 2020 have been falsified and that massive and systematic human rights violations have been committed by the Belarusian security forces in response to peaceful demonstrations and protests.

The U.S. announced it no longer recognizes Lukashenko as the country’s legitimate leader following the outcry over the rigged election. 

Despite this harsh political climate, Belarus has a well-developed tech sector. And members of it almost immediately joined the protests, using their digital skills to expose violence against protesters and sharing data with NEXTA, which released identifying information about members of a special unit of the police known for violence against demonstrators, The Daily Beast reported

One weekend last fall the Cyber Partisans hacked into the state-controlled media networks and broadcast footage of security forces attacking protesters for half an hour instead of the normal newscast, according to The Beast.  

But in recent weeks the alleged hacktivists started releasing portions of what they say is a massive trove of data collected by the government that reveals regime abuses in earnest, Bloomberg News, Current TV, and local Belarusian outlets have reported. The group also said they specifically targeted a speed camera system, both disrupting fine capabilities and the use of those cameras to track regime opponents, according to local outlet Telegraf. 

The data cache includes everything from information about police informants and spies to footage gathered by drones and at detention centers, as well as “secret recordings of phone calls from a government wiretapping system,” according Ryan Gallagher’s coverage for Bloomberg. 

A spokesperson for the Cyber Partisans told Gallagher it has “between 1 million and 2 million minutes of audio.” The group, the person said, includes roughly 15 people, three or four of whom do “ethical hacking” of Belarus’ government systems, while the rest assist with data analysis. Most, according to the spokesperson, are Belarusians involved in the tech sector—some specifically with professional cybersecurity experience. 

That size of a group, and the length of time it has been active, is unusual for active hacktivist organizations—which more often have only a handful of members, according to Coleman.

The extent of the apparent breach astonished some cybersecurity experts when it first emerged:

And the hackers have help—the Cyber Partisans have aligned with a group of Belarusian police officers who defected amidst the unrest last fall known as BYPOL to help analyze and confirm the data, Bloomberg reported.

A new standard for hacktivism

Early hacktivism tended to focus more on leaks directly from inside sources or less sophisticated attacks like taking over Twitter accounts and defacing public websites or making sites inaccessible with DDoS attacks—although some involved breaching systems and leaking information, such as the RedHack group in Turkey. 

But a new generation is emerging, as Joseph Menn at Reuters reported earlier this year, and it has some spooked. 

The U.S. government raised the alarm about politically motivated hackers in the National Counterintelligence Strategy released in early 2020—noting that ”ideologically motivated entities such as hacktivists, leaktivists, and public disclosure organizations” pose a “significant” threat.

In March, the U.S. indicted anti-capitalist Swiss hacker Tillie Kottman on conspiracy, wire fraud, and identity theft charges for allegedly hacking “dozens of companies and government entities'' and posting data about more than 100 of them online. In interviews prior to their arrest, Kottman described the information they posted as primarily being discovered online through misconfigured security settings. 

Although the charges date back to older alleged incidents, Kottman was raided and arrested by Swiss authorities after they claimed credit for another episode that exposed a surveillance system with suspect security: the hack of U.S. firm Verkada, reportedly using admin login information found online to gain access to live feeds of 150,000 cameras in medical facilities, corporations, schools, and prisons. 

But the level of compromise apparently achieved through sustained efforts in Belarus, especially, may set a new standard for similar hacktivist campaigns, Coleman said. 

”We now know these sorts of operations are totally possible with a group of people with the right skillset and mindset to get together,” she explained. Although clearly an exceptional case, it’s not even “super surprising” that it happened, Coleman said, given the scale of attacks that have already occurred involving nation-state or cybercriminal actors. And now that it’s been demonstrated in a hacktivist context, it could embolden similar groups to deploy the same tactics, she added. 

But the publicity may also be a “double-edged sword” for the Cyber Partisans—it could help with recruiting, but also drive a crackdown on the group, according to Coleman. 

As in most cases involving cyber attacks, there remain questions about attribution surrounding the incidents involving Belarus and Iran, although both campaigns have been claimed by groups citing hacktivist motives. Belarus has not specifically weighed in on Cyber Partisan’s claims, but pointed to “foreign special services” as the culprit behind recent breaches, for example. 

But others, including an advisor to Belarus’ exiled opposition leader Sviatlana Tsikhanouskaya, describe the hacks as a form of direct political action. 

“When people face terror and repression, they can’t defend themselves with arms. They can defend themselves with creativity,” the advisor told Bloomberg.

By using the news of these breaches and data dumps including sometimes disturbing imagery to strategically bring attention to that repression, hacktivists are drawing on a tradition of similar efforts including Wikileaks as well as social media movements like Black Lives Matter, Coleman said. 

“This imagery can be controversial, but it moves people,” she explained. 

The general facts about government abuse in Belarus and Iran aren’t new—they have been long documented by international observers. However, the hacktivist campaigns are hoping sharing proof will make it harder to ignore. 

“It is shocking to see what goes on inside the walls of Evin prison, but sadly the abuse depicted in these leaked video clips is just the tip of the iceberg of Iran’s torture epidemic,” said Heba Morayef, Middle East and North Africa Regional Director at Amnesty International.

Just like hackers can only exploit vulnerabilities already present in a system, this visceral evidence of human rights abuse is only being exposed because humans are continuing to suffer through it. 

Correction: A previous version of this story mistakenly said messages broadcast in Iran’s Evin prison were in Arabic, not Farsi.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Andrea Peterson

Andrea Peterson

(they/them) is a longtime cybersecurity journalist who cut their teeth covering technology policy at ThinkProgress (RIP) and The Washington Post before doing deep-dive public records investigations at the Project on Government Oversight and American Oversight.