Lesson 1.1: Ukrainian hackers uncover how Russian drone operators are using Belarus

Compliance Framework Mapping

Introduction

Welcome to Lesson 1.1: Ukrainian hackers uncover how Russian drone operators are using Belarus! Over the next 45 minutes, we will explore how modern cyberattacks are not just about code, but about exploiting real-world infrastructure and geopolitical seams.

But first, let me tell you about Captain Ihor Kovalenko.

It's just after 3 AM on a Tuesday in October. Captain Ihor Kovalenko, a signals intelligence officer with Ukraine's Defence Intelligence, is hunched over a terminal in a dimly lit command centre in Kyiv. The air is thick with the smell of stale coffee and the low hum of servers. His screen is a mosaic of network traffic flows, a digital river he's been tracking for weeks.

His team has been mapping the command and control infrastructure for Russian Lancet drone units. The patterns are familiar—clusters of activity from known Russian military IP ranges. But tonight, something is off. A new, persistent signal is appearing, coordinating strikes on Ukrainian positions near the border. The digital signature is Russian, but the traffic isn't coming from Russia. It's routing through a network of servers with a different origin.

Ihor zooms in on the geolocation data. The IP addresses resolve to Minsk. Belarus. His stomach tightens. This isn't a simple proxy; the patterns suggest operational use, not just transit. A drone operator, physically in Russia, is using Belarusian telecom infrastructure to launch attacks, creating a legal and tactical grey zone. Ihor has found a shadow, but he needs to prove who is casting it.

This is the story of a Cyberattack. By the end of this lesson, you'll understand exactly why spotting the attack was only the first step, and more importantly, what intelligence was needed to stop it.

Content Section 1: What is Infrastructure-Based Threat Intelligence?

Think of threat intelligence like detective work. Finding the bullet is one thing; proving who fired the gun, from where, and under whose orders is another. This case shows us that the 'where'—the infrastructure—is often the key to the 'who' and 'why'.

Beyond the Malware

Traditional security often focuses on the payload—the malicious software on a target system. But the most sophisticated attacks leave their clearest fingerprints on the infrastructure that enables them: the servers, domains, and network paths used for command and control.

In this incident, the technical compromise might be a drone's guidance system. But the strategic threat was the use of Belarusian civilian internet service providers (ISPs) to mask the origin of Russian military operations. The attack vector was a radio signal, but the enabler was a telecoms network.

This creates a layered problem. Technically, data is flowing through Belarus. Legally and attributionally, this blurs lines of responsibility and complicates defensive responses. The real target isn't just a physical asset; it's the decision-making process of those trying to defend it.

The Intelligence Requirement

For Captain Kovalenko, knowing an attack came from a Belarusian IP wasn't enough. He needed to answer specific questions: Was this a compromised system, or was it being used knowingly? What was the relationship between the Russian operator and the Belarusian infrastructure? Answering these questions turns network data into actionable intelligence.

This kind of intelligence work involves correlating technical data with human geography, political relationships, and telecoms architecture. It's about understanding not just packets, but patterns of life and business relationships on the internet.

DORA Article 5 DORA Article 5 requires financial entities to have a comprehensive ICT risk management framework. Understanding how adversaries use third-party or neutral infrastructure for attacks is a core part of mapping digital supply chain threats.

ISO A.5.7 ISO 27001 A.5.7 mandates that organisations collect and analyse information related to security threats. This incident shows the requirement to look beyond direct attacks to the supporting infrastructure, which is a key threat intelligence input.

Content Section 2: The Anatomy of a Geopolitical Cyberattack

Understanding this attack reveals how cyber and physical warfare merge. Let me show you exactly how the operator's location was hidden and why that mattered.

The Attack Flow

Step one: A Russian drone operator, likely near the border, prepares a Lancet loitering munition for a strike. The operator uses a ground control station (laptop or specialised hardware) to program the drone's flight path and target.

Step two: Instead of sending commands directly from a Russian military network, the operator routes the command signal. The signal travels from the operator, through the internet, to a server or series of servers hosted within Belarus. This could use commercial VPN services, compromised routers, or leased server space.

Step three: From the Belarusian infrastructure, the command is relayed to the drone on the battlefield. To the Ukrainian forces being targeted, and to basic network monitoring, the attack appears to originate from Belarus.

Key Technical Components

The core technique is geolocation spoofing via proxy. It's not highly sophisticated in a pure coding sense, but its effectiveness comes from abusing the trust and neutrality associated with a third country's digital infrastructure.

The operators likely used commercial tools or leased infrastructure, making the activity blend with normal internet traffic. The intelligence challenge was separating legitimate Belarusian civilian traffic from malicious Russian military traffic flowing through the same pipes.

Why Traditional Perimeter Defences Fail

Notice what all of these methods have in common. They fail because they look for the *what* (malware, Russian IPs) instead of the *how* and *why* (operational patterns, infrastructure abuse).

A firewall or intrusion detection system watching for 'Russian' attacks would miss this. Here’s how common defences are bypassed:

NIST ID.RA-2 NIST CSF ID.RA-2 requires receiving threat intelligence from sharing forums. This incident shows the value of intelligence on infrastructure abuse patterns, not just malware hashes, to understand sophisticated threats.

NIS2 Article 21 NIS2 Article 21 mandates policies for risk analysis. A proper analysis must consider risks from indirect attack paths and the abuse of third-party infrastructure, as demonstrated here.

Content Section 3: Detecting Infrastructure Abuse

Captain Kovalenko's systems could see the traffic. The hard part was understanding its intent. Here’s how you move from seeing data to uncovering a threat.

Network-Level Indicators

Look for patterns, not just points. A single connection from Belarus to a Ukrainian IP is normal. But repeated, short-burst connections from a Belarusian IP to multiple Ukrainian frontline sectors, followed by reports of drone strikes, form a pattern.

Timing is critical. Correlate network events with physical events. A spike in data flow from a specific ASN (Autonomous System Number, belonging to a Belarusian ISP) occurring minutes before a drone attack is a strong indicator.

Focus on 'non-native' traffic. Why is a server in Minsk constantly communicating with military-grade radio frequencies or specific Ukrainian defence networks? Understanding what normal business traffic for an ISP looks like helps spot the abnormal.

Endpoint and Telemetry Clues

In a corporate context, the 'endpoint' might be a compromised router or VPN concentrator. Unusual configuration changes on border devices, especially new routing rules pointing traffic to unexpected countries, can be a sign of infrastructure compromise.

Monitor for software that enables this proxying. The sudden presence of commercial VPN clients, remote desktop software, or protocol tunnelling tools on critical network gateways needs investigation.

Threat Intelligence Correlation

This is where human analysis merges with data. Intelligence about political relationships is key. Reports of Russian military personnel operating in Belarus, or agreements on shared infrastructure use, provide the context that makes a technical anomaly significant.

Monitor specialised threat intel feeds that track infrastructure leasing, domain registration, and ASN changes in geopolitically sensitive regions. An ISP in a neighbouring country suddenly adding new routes or showing unusual peering arrangements could be a preparatory step.

SOC2 CC7.1 SOC 2 CC7.1 requires monitoring for changes that introduce vulnerabilities. The illicit use of infrastructure, as in this case, is a change in the *use* of a system that introduces a severe threat, demonstrating the need for monitoring logical access and data flows, not just software patches.

GDPR Article 32 GDPR Article 32 requires appropriate security of processing. If personal data is processed on infrastructure that is being covertly used for hostile cyber activity, its security and integrity are fundamentally compromised, creating a major data protection risk.

Content Section 4: Building a Defensible Position

Compliance isn't about ticking boxes; it's about building evidence that you understand the real threats. This lesson turns insight into evidence.

Evidence Generation

This lesson provides documentation for multiple compliance frameworks:

For DORA Article 5 auditors... For DORA auditors, you can now demonstrate that your ICT risk management framework considers complex, multi-jurisdictional attack vectors involving third-party infrastructure, as required for digital operational resilience.

For ISO A.5.7 auditors... For ISO 27001 assessors, you can evidence that your threat intelligence process includes analysis of infrastructure abuse and geopolitical context, not just technical malware analysis.

For NIST ID.RA-2 auditors... For NIST CSF reviewers, you can show you have procedures to incorporate intelligence about adversary tactics, techniques, and procedures (TTPs) related to supply chain and infrastructure exploitation.

Audit Trail

Document your completion of this lesson:

• Lesson title and date completed
• Time invested: approximately 45 minutes
• Key learnings in your own words
• Activity submission reference
• Follow-up actions identified

Conclusion

Let me tell you how Captain Kovalenko's story ended.

Ihor and his team compiled their evidence—the network logs, the timing correlations, the intelligence on Russian units in Belarus. They presented a brief that clearly linked the Belarusian IP addresses to active Russian military drone strikes. This intelligence was used to inform military planning and was shared with international partners to highlight the tactic.

His organisation didn't buy a new firewall. They invested in more advanced network traffic analysis tools that could correlate data flows with external event feeds. They also formalised relationships with threat intelligence partners specialising in Eastern European infrastructure analysis, recognising that their defensive perimeter extended far beyond their own network border.

But it doesn't have to be your story. That's why we're here.

You should now understand that modern cyberattacks often hide in plain sight, using legitimate infrastructure maliciously. You understand that detection requires correlating technical data with human and geopolitical context. You know that compliance frameworks like NIST and ISO already require this broader view of threat intelligence. And you understand that your organisation's risk extends deep into its digital supply chain.

Next, we'll explore Next, we'll explore Lesson 1.2: The role of satellite internet in modern cyber warfare. We'll look at how new global network providers are creating fresh opportunities and vulnerabilities for both attackers and defenders.

See you there.

Resources

The course materials folder contains downloadable resources for this lesson:

• Lesson 1.1 Quick Reference Card - Summarise the key network indicators and intelligence correlation steps for detecting infrastructure abuse, as demonstrated in the Ukrainian drone operator case, on a single page.
• Compliance Mapping Worksheet - Map your organisation's controls for monitoring third-party infrastructure and supply chain threats to the DORA, ISO 27001 (A.5.7), NIST CSF (ID.RA), and NIS2 frameworks covered in this lesson.
• Risk Assessment Template - Assess your organisation's specific exposure to infrastructure-based cyberattacks based on the geopolitical and digital supply chain vectors analysed in this lesson.
• Further reading - Links to official framework documentation for threat intelligence (ISO 27001 A.5.7, NIST CSF ID.RA) and reputable sources for geopolitical cyber threat analysis.

Ukrainian hackers uncover how Russian drone operators are using Belarus Defence Masterclass | Threat Intelligence | Lesson 1.1
© LimitedView Limited | 2026