Full Report
As seen on InformNapalm: On February 18, 2026, Ukrainian President Volodymyr Zelenskyy imposed sanctions against Belarusian dictator Alyaksandr Lukashenka for his role in escalating and prolonging Russia’s aggressive war against Ukraine. One of the stated reasons is that in the second half of 2025, Russia deployed a system of repeaters for the control of attack... Source
Analysis Summary
# Threat Actor: Russian Military Attack UAV Units (supported by Belarus)
## Attribution & Identity
- **Actor Identification:** Russian military personnel operating attack Unmanned Aerial Vehicles (UAVs).
- **Associated Entities:**
- **Belarus (State Support):** Provided geographical access and infrastructure for repeater systems.
- **Alyaksandr Lukashenka:** Sanctioned for directly facilitating these operations.
- **Opposing Actors:** Identified via the cyber-operation by the **Fenix Cyber Analytics Center** and **InformNapalm**.
## Activity Summary
In the second half of 2025, Russian drone operators utilized Belarusian territory to deploy a sophisticated system of repeaters. These repeaters were used to extend the control range of attack UAVs targeting Northern Ukraine. The operation was uncovered after a months-long cyber-intelligence campaign by Ukrainian hacktivists who breached Russian military accounts to monitor these activities in real-time.
## Tactics, Techniques & Procedures
- **Infrastructure Deployment:** Installation of signal repeaters on foreign (Belarusian) soil to bypass traditional range limitations and geographic obstacles.
- **Account Compromise (Victim TTP):** Use of compromised personal and professional accounts of military personnel for operations management.
- **Remote Monitoring:** Use of digital monitoring systems to coordinate drone strikes.
- **MITRE ATT&CK Mapping (Inferred):**
- **T1078 (Valid Accounts):** Hacktivists utilized this against the actors; however, the actors themselves used these accounts to manage drone telemetry.
- **T1071 (Application Layer Protocol):** Used for C2 of UAVs via the repeater network.
## Targeting
- **Sectors:** Energy infrastructure, Railway infrastructure, Government, and Defense.
- **Geography:** Northern regions of Ukraine, specifically Kyiv and Volyn; operations staged from Belarus.
- **Victims:** Ukrainian civilian and state infrastructure.
## Tools & Infrastructure
- **Attack UAVs:** Long-range loitering munitions or strike drones.
- **Signal Repeaters:** A network of ground-based or tower-mounted repeaters deployed in Belarus to extend the command-and-control (C2) link.
- **Monitoring Systems:** Digital platforms used by operators to track drone flight paths and target acquisition.
- **Links:** InformNapalm (hxxps://informnapalm[.]org/en/russian-drone-operators-use-belarus/)
## Implications
The use of Belarusian territory as a "digital and physical springboard" significantly complicates Ukraine’s air defense posture. By placing repeaters in Belarus, Russia can strike Northern Ukraine from unexpected vectors, reducing the early warning time for cities like Kyiv. Strategically, this marks a deeper integration of Belarusian infrastructure into Russian kinetic operations, leading to increased international sanctions and regional instability.
## Mitigations
- **Defense Recommendations:**
- **Electronic Warfare (EW):** Deployment of jamming and spoofing technologies specifically tuned to the frequencies used by Russian drone repeater systems.
- **Signal Intelligence (SIGINT):** Increased monitoring of cross-border radio frequency emissions coming from the Belarusian border to detect repeater activation.
- **Cyber Hardening:** For military organizations, implementing multi-factor authentication (MFA) to prevent the type of account takeovers executed during this operation (as seen in the Fenix/InformNapalm breach).
- **Kinetic Countermeasures:** Strengthening Air Defense (AD) assets in the Volyn and Kyiv sectors to account for northern approach vectors.