Enlarge / Servicemen of Russia’s Eastern Military District units attend a welcoming ceremony as they arrive in Belarus to take part in joint military exercises. Russia’s military is combining its own means of transport with train travel.
Hacktivists in Belarus said on Monday they had infected the network of the country’s state-run railroad system with ransomware and would provide the decryption key only if Belarus President Alexander Lukashenko stopped aiding Russian troops ahead of a possible invasion of Ukraine.
Referring to the Belarus Railway, a group calling itself Cyber Partisans wrote on Telegram:
BelZhD, at the command of the terrorist Lukashenko, these days allows the occupying troops to enter our land. As part of the “Peklo” cyber campaign, we encrypted the bulk of the servers, databases and workstations of the BelZhD in order to slow down and disrupt the operation of the road. The backups have been destroyed.
Dozens of databases have been cyberattacked, including AS-Sledd, AS-USOGDP, SAP, AC-Pred, pass.rw.by, uprava, IRC, etc.
⚠️ Automation and security systems were deliberately NOT affected by a cyber attack in order to avoid emergency situations.
The group also announced the attack on Twitter.
We have encryption keys, and we are ready to return Belarusian Railroad’s systems to normal mode. Our conditions:
🔺 Release of the 50 political prisoners who are most in need of medical assistance.
🔺Preventing the presence of Russian troops on the territory of #Belarus. https://t.co/QBf0vtcNbK
— Belarusian Cyber-Partisans (@cpartisans) January 24, 2022
A representative from the group said in a direct message that the Peklo cyber campaign targets specific entities and government-run companies with the goal of pressuring the Belarus government to release political prisoners and stop Russian troops from entering Belarus to use its ground for the attacks on Ukraine.
“The government continues to suppress the free will of Belarusians, imprison innocent people, they continue to unlawfully keep… thousands of political prisoners,” the representative wrote. “The major goal is to overthrow Lukashenko’s regime, keep the sovereignty and build a democratic state with the rule of law, independent institutions and protection of human rights.”
The group posted the following images, which appear to show hackers inside the private network of the Belarus Railway:
About 36 hours after posting that batch of photos, the group posted more:
At the time this post went live, several services on the railway’s website were unavailable. Online ticket purchases, for instance, weren’t working and instead returned the following message:
For technical reasons, reference web-resources of the Belarusian Railways and services for issuing electronic travel documents are temporarily unavailable. To arrange travel and return electronic travel documents, please contact the ticket office. Currently, work is underway to restore the performance of the systems. Belarusian Railways apologizes for the inconvenience caused.
The representative said that besides ticketing and scheduling being disrupted, the cyberattack also affected freight trains.
According to reports, Russia has been sending military equipment and personnel by rail into Belarus, which shares a border with Ukraine. @belzhd_live, a group of Belarus Railway workers that tracks activity on the 5,512-km railway, said on Friday that in a week’s time, more than 33 Russian military trains loaded with equipment and troops had arrived in Belarus for joint strategic exercises there. The worker group said at the time that it expected a total of 200 so-called echelons to arrive in the coming days.
The Washington Post said the Belarusian Defense Ministry on Monday reported that Russian troops continued to arrive in the country ahead of a major training exercise next month. Video also surfaced on social media Monday showing Russian military convoys and trains with military equipment moving across southern Russia and Belarus.
A tool for the underdog
Juan Andrés Guerrero-Saade, a principal threat researcher at security firm SentinelOne, said he was unable to confirm the ransomware attack but that the images provided appeared to confirm someone gained privileged access to Belarus Railway’s network.
“Taking it at face value, it’s an interesting turn in the ransomware narrative,” he said in an interview. “Most of the time, we think of ransomware as a financial concern for enterprises and not as a tool for the underdog in what amounts to a revolutionary struggle.”
The Cyber Partisans representative said it wasn’t hard to access the Belarus Railway’s network.
“This network has many entry points and is not well isolated from the Internet,” the representative said. “Cyber partisans entered from one of these points and then opened many other entry points from within.”
Post corrected to change “divisions” to “echelons.” Updated on 1/25/2022 to add more photos.