Hacktivists Claim Ransomware Strike on Belarus Railway Intended to Disrupt Russian Forces

Hacktivists Claim Ransomware Strike on Belarus Railway Intended to Disrupt Russian Forces
Photo: Sean Gallup, Getty Images

In an apparent bid to stop a Russian arms build-up near the Ukrainian border, a “pro-democracy” hacktivist group claims to have hacked the Belarusian railway system — allegedly one of the conduits for tanks and weaponry into the region. The incident comes as Russian and NATO-allied forces continue to spar over the political future of Ukraine, heightening the risk of war.

Belarus, which sits to the north of Ukraine, is considered a key Kremlin ally in the ongoing conflict and has allegedly seen a build-up of Russian military soldiers and weaponry as the two nations prepare for upcoming joint military exercises. U.S. commentators have accused Russia of using Belarus and the exercises as an excuse to “encircle” Ukraine militarily.

In a post to its Telegram page on Monday, the hacktivist group known as Cyber Partisans claimed to have struck the nation’s railway system, apparently spiking it with ransomware as a way to deter the ongoing arms build-up. The hackers also published images of what they said were files compromised in the attack, and demanded the release of numerous “political prisoners,” which they said had been illegitimately incarcerated by the government.

“The government continues to suppress the free will of Belarusians, imprison innocent people, they continue to unlawfully keep… thousands of political prisoners,” the hackers told Ars Technica. They also decried the government for allowing “occupying troops” into their land — ostensibly a reference to Russia.

Partisans, which calls itself “pro-democracy,” is reputed to be comprised of disaffected Belarusian security personnel and has previously been tied to alleged hack-and-leak operations targeted at the government of President Alexander Lukashenko — the country’s current leader.

One of the first to spot the apparent railway hack was Franak Viačorka, a journalist and political advisor to Belarusian opposition leader and “pro-democracy activist” Sviatlana Tsikhanouskaya.

Viacorka, who has also worked with the Atlantic Council and is a media analyst for the US Agency for Global Media, told Gizmodo that he had learned about the cyberattack directly from “railroad workers.” Viacorka called the “scale” of the attack “huge,” and said that he expects there to be an “official statement” soon on the incident, as “some railroad services don’t work.”

While there doesn’t appear to be any official acknowledgment of the attack by the Belarusian government, a railway notification to travellers on Monday announced that certain “technical” difficulties were causing problems for electronic service delivery:

“For technical reasons, reference web-resources of the Belarusian Railways and services for issuing electronic travel documents are temporarily unavailable,” the railway announced. “To arrange travel and return electronic travel documents, please contact the ticket office.”

While this alone doesn’t confirm the hacktivists’ claims, it certainly sounds like one of the classic side-effects of a ransomware attack.

The apparent attack comes amidst an ongoing standoff in Ukraine between Russian and pro-NATO forces, where political squabbles are now risking armed confrontation. The buildup of 100,000 Russian troops at Ukraine’s border has heightened tensions and led American officials to accuse Putin of wanting to invade the neighbouring country.

More relevantly, multiple cyberattacks have targeted Ukraine over the past two weeks — a fact that has added to the growing conflict. This includes a Jan. 14 defacement attack on nearly 80 Ukrainian government websites, which was blamed on hackers connected to Belarusian intelligence. This makes the timing of the railway incident — a little over a week later — somewhat interesting.

On their Telegram page Monday, Cyber Partisans wrote that they had hacked the railway system to defy Belarusian President Lukashenko, who they dubbed a “terrorist”:

BelZhD at the command of the terrorist Lukashenko these days allows the occupying troops to enter our land. As part of the “Peklo” cyber campaign, we encrypted the bulk of the servers, databases and workstations of the BelZhD in order to slow down and disrupt the operation of the road. The backups have been destroyed.

The hackers claimed that “automation and security systems were deliberately NOT affected by a cyber attack in order to avoid emergency situations.”