An activist group in Belarus launched a ransomware attack against the country’s railway system in protest of Belarus President Alexander Lukashenko and Russian troop movements through the country.
On Monday, The Belarusian Cyber-Partisans took to Twitter to say they encrypted the networks of Belarusian Railways, crippling the system and disrupting ticket sales. The group criticized Lukashenko and provided a list of demands in exchange for the encryption keys needed to unlock the system.
“At the command of the terrorist Lukashenko, #Belarusian Railway allows the occupying troops to enter our land. We encrypted some of BR’s servers, databases and workstations to disrupt its operations. Automation and security systems were NOT affected to avoid emergency situations,” the group said.
“We have encryption keys, and we are ready to return Belarusian Railroad’s systems to normal mode. Our conditions: Release of the 50 political prisoners who are most in need of medical assistance. Preventing the presence of Russian troops on the territory of #Belarus.”
Yuliana Shemetovets, a Belarusian activist and spokesperson for the group, told ZDNet that their goal was to disrupt the railway system “so it can indirectly affect the Russian troops using it for their purposes (potential attack on Ukraine).”
According to The Washington Post, the Belarusian Defense Ministry said on Monday that Russian troops were coming to the country for military exercises. Russia is also sending 12 Su-35 fighters, two S-400 battalions and a Pantsir-S air defense system to Belarus as part of the troop movement, but US officials said it was all part of a Russian plan to invade Ukraine from the north.
“[Belarusian Cyber-Partisans] don’t want Russian soldiers in Belarus since it compromises the sovereignty of the country and puts it in danger of occupation. It also pulls Belarus into a war with Ukraine. And probably Belarusian soldiers would have to participate in it and die for this meaningless war,” Shemetovets said.
Shemetovets explained that the group encrypted the bulk of the railway’s servers, databases and workstations. They first gained access to the railway’s systems in December.
“The backups have been destroyed. Dozens of databases have been attacked, including AS-Sledd, AS-USOGDP, SAP, AC-Pred, http://pass.rw.by, uprava, IRC, etc. Automation and security systems were deliberately not affected by a cyber attack in order to avoid emergency situations,” Shemetovets added.
Shemetovets noted that the attack did affect some Belarusians trying to use the train system’s ticket platform and said they would work to restore the system so average citizens were not affected. The Belarusian Railways website was back online by Monday night.
“We received so far only positive feedback (people that were writing to us are ready to put up with it a little so the major goal is achieved). The major target was freight trains but it looks like the passenger schedules were also affected,” Shemetovets said.
“The government refused to make any comments. We need to wait a little longer to see how it actually affected them. As long as Lukashenko’s dictatorship regime stays CPs will continue their work.”
The government did not respond to requests for comment and has not released a statement about the situation. But Belarusian Railways did issue a statement acknowledging the issue and said any web resources or services “issuing electronic travel documents” are temporarily unavailable. They added that they are working to restore the system and urged customers to contact their offices for travel documents.
Since protests against Lukashenko began in 2020, the Belarusian Cyber-Partisans have worked to undermine the dictatorship by leaking hacked documents showing widespread corruption and police abuse. The group is made up of former IT workers from Belarus, according to profiles by Bloomberg, The MIT Technology Review and The Washington Post.
Ransomware experts told ZDNet that they had never seen ransomware used in this way before. Emsisoft threat analyst Brett Callow said he was not aware of any situation where ransomware was deployed like this.
“In terms of helping hactivists achieve their objectives, ransomware is as effective, perhaps more effective, than any other tool in their arsenal. And, of course, the entry barriers are lower than ever thanks to both user credentials and off-the-shelf ransomware being readily available,” Callow said,
Recorded Future’s Allan Liska echoed those remarks, telling ZDNet he had never seen anything like this before.
“This reminds me a bit of the escalation we saw with the Red Brigades kidnappings in the 70s and 80s. What started as simple kidnappings escalated to more radical behavior and assassination. Ransomware has evolved from encrypting single machines to whole networks and the the types of extortion demanded has continued to evolve,” Liska said.
“This could be the next jump in the evolution of ransomware, or it could be an outlier.”