Cybercrime , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
Hacktivists Hit Belarusian Railroad to Stop Russian Troops
Attackers Say Their Ultimate Goal Is Regime Change in BelarusA Belarusian hacktivist group named Belarusian Cyber-Partisans says it has successfully attacked the country's railroad systems and encrypted some of the railroad's servers, databases and workstations to disrupt its operations. The group says its aim is "preventing the presence of Russian troops on the territory of Belarus."
See Also: Gartner Guide for Digital Forensics and Incident Response
Yuliana Shemetovets, the spokesperson for the Belarusian Cyber-Partisans, tells Information Security Media Group, "CPs [Belarusian Cyber-Partisans] first hacked the system back in December. CPs stayed in the internal network for one and a half months to prepare for a stronger attack, which they performed on January 23, 2021. It started at 23:00 Belarusian time and lasted till 9:00 am [the next morning]."
Shemetovets did not confirm the type or the source of the code for the ransomware deployed, but tells ISMG that it "was specially created and based on common practice in this field."
In exchange for the decryption keys, the hacktivists demanded the release of 50 political prisoners and removal of Russian troops from Belarusian territory. But the government, led by President Alexander Lukashenko, has not contacted the hacktivists, Shemetovets confirms to ISMG, and has not made any official statement in response to the attack.
Belarusian Railway issued a statement acknowledging an issue with its web resources and services. "For technical reasons, services for issuing electronic travel documents are temporarily unavailable," it stated.
In response, Shemetovets says, "CPs didn't put down the website. [Only] the electronic ticketing system on the website is down though, as it was yesterday."
Why the Railroad?
Although the West has been in talks with Russia to de-escalate the tension with its neighbor Ukraine, Russian President Vladimir Putin has sought help from its other neighbor, Belarus, in devising a two-pronged attack. Russia has moved military equipment to Belarus, whose border is geographically close to Ukraine's capital, Kyiv, the Atlantic Council's Digital Forensic Research Lab says.
The DFRLab also tracked a Russian convoy carrying Russian military's BM-27 220mm multiple rocket launcher and 11 9T452 transporter-loader vehicles on a train that departed from a depot near Lake Baikal in Russia’s Eastern Military District.
Shemetovets tells ISMG that this is why it targeted the Belarusian railway system. "The Belarusian railway was involved in providing its services to the Russian military troops, which we are against. It also sends a clear message that the governments’ infrastructures are disregarded by the regime. They don’t have enough experts working there and prefer loyalty over professionalism."
Franak Viačorka, senior adviser to Sviatlana Tsikhanouskaya - the main opposition candidate in the Belarusian 2020 presidential elections - tweeted about the attack and the motive of the hacktivist group.
Someone with the Twitter handle "vx-underground" - who claims to have the largest collection of malware source code, samples and papers on the internet - shared screenshots of the data encrypted by Belarusian Cyber-Partisans.
The group responsible for the Belarusian Railway infrastructure ransomware attack have released photographs of their work. pic.twitter.com/IdQhzPATtK
— vx-underground (@vxunderground) January 24, 2022
Regime Change Is the Motive
Even after the evidence presented, some followers of the group on Twitter were puzzled as to why the group did not attack Russian infrastructure if its main motive was to stop the Russian troops. Shemetovets tells ISMG that the group never gets involved in other countries' affairs. "We] want to change the regime in Belarus and that's [the group's] main goal."
When asked about CPs goals and motives, Shemetovets tells ISMG, "The demands are clear: We want Lukashenko's dictatorship regime gone, and we will continue working until we can say that the goal to build a democratic and lawful state is completed."
Shemetovets says the other primary goals behind the group's hacktivist operations are:
- Preservation of the independence, sovereignty and territorial integrity of Belarus;
- The overthrow of the Lukashenko regime;
- Stabilization of Belarus during the transition period and return to democratic principles of governance and rule of law.
Earlier Attacks
This is not the first time that the Belarusian Cyber-Partisan hacktivists have targeted an organization with a ransomware attack. In December 2021, they attacked the computer networks of Mogilevtransmash, one of the largest car companies in Belarus, according to a tweet from Dec. 10, 2021.
The hacktivists encrypted all files, servers and databases. At the time, the group announced that it was ready to decrypt the data in exchange for the release of 10 political prisoners of its choice.
In November 2021, the hacktivist group launched a large-scale sabotage cyberattack operation that it called Inferno or "Scorching Heat." The first target under this operation was the Academy of Public Administration of Belarus.
The operation continued during November with a cyberattack on Belaruskali - a state-owned company that the hacktivists say they targeted to bring attention to poor working and safety conditions.
Shemetovets tells ISMG the hacktivist group also previously hacked the Interior Ministry's passport database, which contains all personal details of every Belarusian citizen, including those with restricted access. "It helped to reveal information on deaths from COVID as well as check on many officials who committed crimes. We also hacked the entire police database and got access to cameras, and restricted information about the work history of every police officer. All these major hacks were aimed to de-anonymize special police officers who think they can do whatever they want with Belarusians without following any laws," Shemetovets says.
Using Cyber for Political Change
Ransomware expert Sam Curry, chief security officer at Cybereason, says the group's latest effort is unique. "Seeing cyber used in this way to disrupt troop movement, to effect political change and specifically aimed at Russia, is novel. The story is fascinating because prudential, legitimate hacktivists are opposing Putin and corruption of the Belarus government."
Curry adds that he wouldn't be surprised if, in coming days, Belarus or Russia accuses these hacktivists of treason or of being American or Ukrainian partisans, or if these countries accuse the group of being a cover for Western intelligence groups.
The geopolitical context around this ransomware operation, along with the politically motivated requests of the Belarusian Cyber-Partisans, make this attack an interesting case study to analyze the complex nature of cybercrime and ideological threat actors, says Stefano De Blasi, threat researcher at Digital Shadows. De Blasi tells ISMG, "Ransomware has been traditionally used to gain financial resources at the expenses of vulnerable organizations; however, this story has highlighted that encryption and cyber extortion can also be used to spread political messages and slow down an adversary’s operations.
"Ransomware can be an effective tool to disrupt a target’s business continuity and significantly slow down its operations. Given the objectives of the Belarusian Cyber-Partisans, it seems this has been an appropriate tactic in order to maximize attention to their activities," De Blasi says.
Alan Calder, CEO at GRC International Group, tells ISMG, "Lukashenko is a dictator with his grip on power maintained by his security police, and so it's not surprising that there is an anti-Lukashenko underground. It's good to see a cyber resistance movement that is also against Belarusian involvement in a possible Russian attack on Ukraine."