Belarusian hacktivists target railway in bid to halt Russian military

Belarusian hacktivists claim to have infected the country's rail network with ransomware in a bid to stop the Russian military from mobilising around Ukraine.

The Cyber Partisan hacktivists claim to have encrypted "the bulk of the servers, databases, and workstations" belonging to the Belarusian Railways, and destroyed their backups, according to posts on Telegram and Twitter.

Cyber Partisan is demanding the release of 50 political prisoners who are in need of medical assistance and assurances that Russian troops will stop mobilising on Belarusian soil - a country that shares a border with Ukraine and whose leader has a close relationship with Vladimir Putin.

"BelZhD, at the command of the terrorist Lukashenko, these days allows the occupying troops to enter our land," the Telegram message read. "As part of the 'Peklo' cyber campaign, we encrypted the bulk of the servers, databases, and workstations of the BelZhD in order to slow down and disrupt the operation of the road. The backups have been destroyed.

"Dozens of databases have been cyberattacked, including AS-Sledd, AS-USOGDP, SAP, AC-Pred, pass.rw.by, uprava, IRC, etc. Automation and security systems were deliberately NOT affected by a cyber attack in order to avoid emergency situations."

In the online posts, the group echoed the message shared by Belarusian rail workers on Friday that more than 33 Russian military trains containing equipment and soldiers would be entering Belarus. The message was also corroborated by reports from other news outlets.

Belarusian Railways published a statement on Monday confirming that it was experiencing difficulties and that some services were unavailable, though no mention of compromised systems, databases, or servers was mentioned - nor was ransomware.

"For technical reasons, services for issuing electronic travel documents are temporarily unavailable," it said. "To arrange travel and return electronic travel documents, please contact the ticket office.

"Currently, work is underway to restore the performance of the systems. Belarusian Railways apologises for the inconvenience caused."

At the time of writing, IT Pro can confirm online ticket sales are still impacted and are unavailable, with customers greeted with the following message.

Tensions in the region

Russia has seized Ukrainian territory in the past and in recent months has stepped up its calls against Ukraine joining European institutions, with a particular focus on Nato. Ukrainians have been preparing for a possible invasion by Russia for months, with many in the region fearful of a war looming.

In recent weeks, both the US and UK have withdrawn significant numbers of embassy staff and their families out of the region, which may indicate that the two allies believe an invasion is likely.

Today, the US has placed 8,500 of its soldiers on alert amid mounting tensions of Russian troops mobilising at the Ukrainian border. Western powers are showing unanimous unity on the matter, saying they will step in with "swift" and "unprecedented" actions if Russia was to invade Ukraine.

The news follows days of unsuccessful negotiations between President Biden and President Putin in Geneva - failed talks that also prompted the FBI, NSA, DHS, and CISA to issue an alert to cyber security professionals that a Russian-linked cyber attack may be launched on critical infrastructure in relation to the worldwide tensions.

"The cybersecurity industry has gotten used to tossing around the idea of ‘nation-state’ adversaries, but I think we’ve yet to see cyber attacks used in concert with a full-fledged military campaign," said Tim Erlin, VP of strategy at Tripwire to IT Pro. "DHS’s warning sets that expectation that something has changed in the threat profile, and that organisations should be prepared for a change in the types of attacks they see."

Brief overview of hacktivism

It's thought the alleged ransomware attack on Belarusian Railways is one of the first times ransomware has been used in hacktivism but the practice of campaigning by hitting systems offline is well documented.

There were a number of high-profile hacktivist 'attacks' in 2021 alone, with right-wing social media platform Parler, and Verkada's surveillance cameras among the victims targeted by hackers. The Adalat Ali hacking group also exposed the beatings and mistreatment of prisoners in Iran's Evin prison in August 2021 out of protest against the abject living conditions.

Anonymous, LulzSec, and WikiLeaks are among some of the most well-known hacktivist groups in the world.

Hacktivism is a controversial practice with some seeing it as an effective means of campaigning while others believe the level of civil disobedience, and often the damage such attacks cause, goes beyond the acceptable level of resistance exhibited in more traditional forms of protest.

The US sees hacktivism as a significant threat and are categorised similarly, in the eyes of the law, to terrorist groups and transnational criminal organisations.