In this article, I will scratch the surface of the Belarus web infrastructure, using some basic footprinting techniques

Belarus is a country in Eastern Europe. It is bordered by Russia to the east and northeast, Ukraine to the south, Poland to the west, and Lithuania and Latvia to the northwest. It has a population of 9.5 million. Minsk is the capital and largest city

Belarus had a complex history in the last century, changing hands at various times, to the Grand Duchy of Lithuania, the Polish–Lithuanian Commonwealth, and the Russian Empire. In the aftermath of the Russian Revolution in 1917, the Byelorussian SSR (Soviet Socialist Republic) became a founding constituent republic of the Soviet Union in 1922

After the Polish-Soviet War, Belarus lost almost half of its territory to Poland. Much of the borders of Belarus took their modern shape in 1939, when some lands of the Second Polish Republic were reintegrated into it after the Soviet invasion of Poland

During World War II, military operations devastated Belarus, which lost about a quarter of its population and half of its economic resources

The parliament of the republic proclaimed the sovereignty of Belarus in July 1990, and during the dissolution of the Soviet Union, Belarus declared independence in August 1991. However, Belarus kept strong ties with Russia

Following the adoption of a new constitution in 1994, Alexander Lukashenko was elected Belarus’s first president in the country’s first and only free election post-independence, serving as president ever since. Lukashenko heads an authoritarian government with a poor human rights record due to widespread abuses

Internet infrastructure

Let’s start a quick review about Internet cables providing the Internet to Belarus

The first one is the Transit Europe Asia (TEA) network, which is an international transit fiber-optic cable line passing trough Russia, and linking European countries with Asia. TEA has transmission routes on Rostelecom (Russian National Telecommunication Company : https://bit.ly/3Vwy4Vy) core networks, with extensions to Belarus

A second one is TransTeleCom (TTK), which is one of the leading Telecom operators in Russia. TTK has a partnership with the Russian Railways (https://bit.ly/3EHJv6I)

TTK is operating a large fiber-optic backbone digital communication network, which is laid along the railways of Russia and has many access points in all densely populated regions of the country, connecting the eastern and western borders of the Russian Federation

TTK Eurasia Highway has connections with communication networks of all neighboring countries with Russia, including Belarus, and is an optimal route between Europe and Asia

Belarus has its own local companies able to install underground cables and expand the Internet network. One of these is Minskkabel which is specialized in the manufacture of optical cables for an interconnected communication network between Belarus, Russia, and other neighbouring countries

Now, let’s look at the Belarus country code ccTLD – Top Level Domain and corresponding DNS – Domain Name Server root zone

IANA is responsible to assign the operators of top-level domains, such as .com, and maintain their technical and administrative details

We can find the Belarus ccTLD on the IANA website with the .by country code

IANA is responsible for determining an appropriate trustee for each ccTLD. Administration and control are then delegated to that trustee, which is responsible for the policies and operation of the domain

In the case of Belarus, it is Belarusian Cloud Technologies LLC (beCloud). According to their website, they describe themselves as the first infrastructure operator in Belarus. Here are some key services operated by beCloud :

In the last years, Belarus has been building a sovereign Cloud ecosystem, mostly with the help of major European, US and Asian companies, such as the ones below. The international sanctions on Belarus and Russia are mainly targeted to specific individuals, and do not block necessarily these partnerships and exchange of technology

Taking into account the capital cost of construction of a network and the limited population of Belarus, it was decided to create one single infrastructure operator. beCloud operates several datacenters and has a wide network inside Belarus, and sells the bandwidth to other operators

The chief inspector of the Belarus TLD is the OAC – Operational and Analytical Center

There is much controversy about this agency. A son of Lukashenko had been appointed director some years ago

Here are the main tasks of the OAC

Several agencies are subordinated to the OAC, such as the important National Traffic Exchange Center (NTEC)

The Ministry of Telecommunications controls all telecommunications originating within the country through its carrier unitary enterprise, Beltelecom

The statistics on Shodan show us the importance of Beltelecom as the main operator of routers and switches accross Belarus

Beltelecom owns all the backbone channels that link to external networks such as the one from Rostelecom in Russia

While Beltelecom is in charge of the infrastructure, NTEC is responsible for allowing the access to the international Internet, and grants this service for a fee that is paid by Telecom operators

The Belarus authorities can block the internet as they did in August 2020 during the elections turmoil, as you can see on the chart below

In fact, the American IT company, Sandvine (Procera), had supplied filtering equipment for normal network operations (such as traffic optimization, congestion management, cost efficiency, anti malware…) using a Deep Packet Inspection (DPI) process, with the help of resident engineers

The Sandvine equipement had been used by Belarus authorities to block legitimate traffic and switch off the Internet

Further to this, Sandvine decided to terminate the contract with Belarus : https://bit.ly/3VxIfcg

In Belarus, the state body BelGIE is responsible to manage the list of restricted IPs and traffic : https://belgie.by/en/home

Let’s check the Name Servers provided for the .by Belarus ccTLD (remind that a lot of domains in the world have multiple nameservers to increase reliability)

The main Name Servers n°1 and n°2 are hosted by beCloud in Belarus

Ukrainian Telecommunications Group (UTG) is a major Ukrainian operator, enabling some part of the traffic towards Belarus. RETN is a major international network operator headquartered in UK and managing Eurasian cables going through Ukraine and Russia

The National Traffic Exchange Center (NTEC) has been seen above already, and we can confirm that the NTEC is at the center of the Internet communication from abroad Belarus

Dataline is an IT company located in Russia with cloud capabilities. It’s interesting to see that some backup Belarus Name Servers are hosted in Russia (Dataline) and USA (AWS)

Here below are the main ISP (Internet Service Providers) of Belarus :

Internet usage in Belarus is about 82%, as we can find here : https://bit.ly/3CjOKqz. It is similar as the one of France

The mobile networks 2G/3G/4G are quite widespread, with a stronger concentration of these networks around major cities

The mobile network 5G is not yet deployed, but activities are on-going to implement this latest standard

The overall efficiency of the Belarus network is not that great, probably due to a lower coverage in rural areas

Operational and Analytical Center

Let’s go deeper on the OAC – chief inspector of the Belarus TLD – that we have seen above : https://bit.ly/3gVNzGH

First of all, you shall know that the OAC is entitled by Law to restrict internet, in case of threats to National Security : https://bit.ly/3TrZaei

We can use several footprinting and recon tools for that. Let’s go through the findings using some of these tools

urlscan.io : https://bit.ly/3sG0S0m

The main IP is 195.50.4.123, located in Minsk, and belongs to BCTBY-AS, which is Belarusian Cloud Technologies, as seen above. The site takes advantage of the Google web tracking technologies, helping the webmaster to perform analytics

Google Tag Manager (GTM) has been interesting for hackers, as JavaScript can be embedded inside GTM containers and is executed when a browser loads the link to a container : https://bit.ly/3Nihfd4

Doubleclick (https://bit.ly/3sGfQn9) now belongs to Google and is part of the Google Marketing tools

With all these Google technology embedded inside their website, the admin have a good way to track user navigation on their website

We can read the Javascript global variables, here below

Apart from usual Javascript events, we can confirm the Google analytics and tag manager, already mentioned above. In addition, we find the NS_CSM, which are Citrix variables standing for Client Side Measurement

The CSM is the console included in the Citrix WAF (Web Application Firewall), allowing the Admin to monitor any security events. Here a sample screenshot of the interface

Basically, the Citrix WAF works as follows

The Citrix WAF is based upon a cookie derived from the web client session : citrix_ns_id

In fact, to maintain the state of the session, the Citrix Web App Firewall generates its own session cookie, and passes it only between the web browser and the Citrix Web Application Firewall, and not to the web server

This will ensure that if any hacker tries to modify the session cookie, the WAF will drop the current session, and the WAF will keep the information of the URLs and forms visited by the client

Here further details about how this Citrix WAF is working : https://bit.ly/3UeJ4p7

Here below all cookies generated by the website :

Beyond the citrix_ns_id, we find the citrix_bot_id cookie. This allows the Admin to implement Bot management policies, to block malicious bots : https://bit.ly/3U62hd3

We also see the XSRF token (see here a definition : https://bit.ly/3DIOz9Y), which will help protect against web sites forgeries

Beyond these cookies, we can see some basic web hacking protections

nosniff will help protect against MIME sniffing

SAMEORIGIN will block iframe inclusions that are not from the same web site origin

1; mode=block will prevent XSS attacks

Created for browsers equipped with XSS filters, this non-standard header was intended as a way to control the filtering functionality. Since modern browsers no longer use XSS filtering, this header is now deprecated

We can see that the server is an nginx dealing http requests on the port 443 (as expected)

The website is protected by TLS1.3 and AES256

The website has an encryption certificate delivered by Let’s Encrypt

Some people have criticized the fact that Let’s Encrypt provides CERT services to Belarus. But in fact, they validate only that the server has the proven control over the domain name you are visiting. And beyond that, blocking US CERT would probably push Belarus to implement Russian government Certificate of Authority, with all potential risks for the end users : https://bit.ly/3U8wA2i

For the following analysis, check this reminder about DNS here : https://bit.ly/3E0FmtV, and also here : https://bit.ly/3FOpETN

BuiltWith Technology Profiler : https://bit.ly/3hB2JBy

We can find more details about the front-end, mainly the use of Javascript Framework

We can also find more details about the back-end server

It seems that the server is probably built using PHP version 7 or above (but this has not been detected since 2021 so it may have been replaced by another)

The server has a Sender Policy Framework (SPF), which enables receiving mail servers to authenticate whether an email message was sent from an authorized mail server (spam and spoofing protection)

The server is based upon Nginx. Previously, it was based upon Apache (year 2019), and the OS was Debian (year 2017)

We will see below that it’s now probably running FreeBSD (https://bit.ly/3AbZqaf)

whois

Let’s run a whois against the IP address 195.50.4.123

We confirm that the IP is owned by Belarusian Cloud Technologies LLC, as seen above. There are two contact people, that we can cross check on social networks. We find the Linkedin profile of Andrey Chepikov, which states an experience at “protection of networks against external influences“

dnsrecon : https://bit.ly/3sN1txp

This tool does a DNS enumeration. We find the basic informations about the domain oac.gov.by (MX : Mail Server, A : IP address, TXT : Text record). The Sender Policy Framework (SPF) is configured (v=spf1 -all) , so that only this server can send emails on behalf of the domain

To use Google Analytics, you need to prove that you own the domain. That’s why the Admin added a TXT record to prove this, with google-site-verification. Here is how you can confirm your domain ownership : https://bit.ly/3NE66DR

dig : https://bit.ly/3FTE3hT

We can check if the domain has DNSSEC implemented. In this case, it is not enabled

dnshistory : https://bit.ly/3SPbxkc

We can see that the domain has historical records dating from December 2012

Linkedin

We can find some interesting informations on this social network, such as technologies that the OAC may be actively using :

We can therefore correlate some technical evidences we had found in the previous sections, which increases the probability that the OAC actually uses these technologies

We can therefore assume the following architecture :

• Javascript Vue.js Frameworks for the Front-End
• PHP Laravel, Node.js, React.js Frameworks for the Back-End
• PostgreSQL, MongoDB for the database management

The softwares and services are probably based upon a Cloud Native architecture :

• VMware (Virtual Machines)
• Kubernetes k8s (to manage containerized applications across multiple hosts)
• Gitlab CI (Continuous Integration)
• CEPH as a distributed storage system (https://bit.ly/3Emillf)

p0f : https://bit.ly/3AbaEMb

p0f – passive operating system fingerprinting – can be used to detect the server Operating System (OS). It will detect how the OS implements the TCP/IP stack

In our case, I find that the server machine is based upon Windows XP

Is it weird to find such an outdated version of Windows ? Not quite. Some organizations are still using XP nowadays. For example, the Belarus railway system is using Windows XP, as it was shown to the world during the invasion of Russia into Ukraine (https://bit.ly/3GbVrhG)

In addition, Microsoft has decided to block new Windows licence to Belarus and Russia (https://bit.ly/3Trb5Ja), this will not help Belarus to move to more recent versions

Zenmap

We are going to find additional informations with Zenmap (in fact, it is a GUI version of nmap : https://bit.ly/2Hlfc7P)

The first one is the TCP Sequence Prediction (difficulty = 251 in our case), which is a measure of the risk that a TCP connection can be hijacked by an attacker, predicting the sequence number and preparing a faked packet (you can learn more about sequence number here https://bit.ly/3G9JPMb and also here https://bit.ly/3EsStUZ)

We find the open Ports and more technical informations about hardware used

The open Ports 80 (HTTP) and 443 (HTTPS) are typical for a Web Server

We find a Citrix NetScaler, which is an Application Delivery Controller (ADC) created to optimize, manage, and secure network traffic : https://bit.ly/3X1Coww. This includes the Citrix WAF we have seen earlier

It is also probable that this ADC is acting as a Citrix VPX Load Balancer. A typical network topology would be as follows (VIP = virtual server IP), with internal machines hidden behind the Citrix ADC :

Zenmap provides probable infrastructure informations (with % of probability) :

• Citrix NetScaler VPX load balancer (89%) : as seen above
• Linksys BEFSR41 EtherFast router (86%) : it’s a basic network router
• AVtech Room Alert 26W environmental monitor (86%) : server room real time monitoring of temperature, humidity,…
• FreeBSD 6.2-Release (85%) : it’s probable that the server is based upon FreeBSD 6.2. If true, this is quite an outdated version. We can check the version 6.3 release notes to get an overview of the bugs in 6.2 : https://bit.ly/3UQUhMH

Let’s compare with a direct OS discover using nmap

nmap provides us with a probable guess, that FreeBSD 6.2 is based upon the Virtual Machine Oracle Virtualbox

Web security

We can dig a bit deeper if the web site is well protected, using a vulnerability scanner, such as Wapiti : https://bit.ly/3VxDZss

We get the following report :

Let’s go through the results :

The Content Security Policy header (CSP) lets you precisely control permitted content sources and many other content parameters, and is a recommended way to protect your websites and applications against XSS attacks. A basic CSP header to allow only assets from the local origin is :

Content-Security-Policy: default-src 'self'

When enabled on the server, the HTTP Strict Transport Security header (HSTS) enforces the use of encrypted HTTPS connections instead of plain-text HTTP communication. A typical HSTS header might look like this:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

This informs any visiting web browser that the site and all its subdomains uses only SSL/TLS communication, and that the browser should default to accessing it over HTTPS for the next two years (the max-age value in seconds)

The preload directive indicates that the site is present on a global list of HTTPS-only sites. The purpose of preloading is to speed up page loads and eliminate the risk of man-in-the-middle (MITM) attacks when a site is visited for the first time

An HttpOnly Cookie is a tag added to a browser cookie, that prevents client-side scripts from accessing data. Using the HttpOnly tag when generating a cookie helps mitigate the risk of client-side scripts accessing the protected cookie, thus making these cookies more secure.

The example below shows the syntax used within the HTTP response header :

Set-Cookie: =“[; “=“] [; expires=“][; domain=“] [; path=“][; secure][; HttpOnly]

If the HttpOnly flag is included in the HTTP response header, the cookie cannot be accessed through the client-side script. As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits the flaw, the browser will not reveal the cookie to the third-party

The Secure flag is used to declare that the cookie may only be transmitted using a secure connection (SSL/HTTPS). If this cookie is set, the browser will never send the cookie if the connection is HTTP. This flag prevents cookie theft via man-in-the-middle attacks

It would be good practice to enable the above security flags, thus complying with the OWASP recommendations. However, I assume that the OAC is not so concerned, as the website does not include many rich content, and a powerfull WAF is already implemented

Belarus web infrastructure in summary

Let’s summarize the infrastructure that we have seen above

Conclusion

In this short preview of the Belarus web infrastructure, we have seen the following items, using footprinting methods :

• Belarus has built a sovereign cloud to manage its web infrastructure, with the help of international corporations (US, Europe, Asia,..)
• The Belarus Name Server is backed-up by AWS (USA) and Dataline (Russia)
• The Belarus authorities have a strong degree of control over access points and can block any IP traffic if necessary (such as during the August 2020 elections turmoil)
• The Operational and Analytical Center (OAC) is the chief inspector of the Belarus Top Level Domain (TLD)
• The OAC website performs analytics using Google web tracking technology
• The OAC website is protected with the use of Citrix technology (WAF, Load Balancer), and its root certificate is issued by Let’s Encrypt
• The OAC web server may be based upon an obsolete version of Windows (XP) and does not comply with all the basic OWASP recommendations
• The restrictions applied to Belarus by some US corporations such as Microsoft will limit their ability to implement security patches and updates
• Linkedin profiles are always a good way to learn more about the technologies used by a target