For years, idealistic hacktivists have disrupted corporate and government IT systems in acts of protest. Cybercriminal gangs, meanwhile, have increasingly held hostage the same sort of enterprise networks with ransomware, encrypting their data and extorting them for profit. Now, in the geopolitically charged case of a hacktivist attack on the Belarusian railway system, those two veins of coercive hacking appear to be merging.
On Monday, a group of Belarusian politically motivated hackers known as the Belarusian Cyber Partisans announced on Twitter and Telegram that they had breached the computer systems of Belarusian Railways, the country’s national train system, as part of a hacktivist effort the attackers call Scorching Heat. The hackers have since posted screenshots that appeared to show their access to the railway’s backend systems and claimed to have encrypted its network with malware, for which they would only provide decryption keys if the Belarus government met a list of demands. They’ve called for the release of 50 political prisoners detained in the midst of the country’s protests against dictator Alexander Lukashenko, as well as a commitment from Belarusian Railways to not transport Russian troops as the Kremlin prepares for a possible invasion of Ukraine on multiple fronts.
The hackers appear to have successfully made at least some of Belarusian Railways’ databases inaccessible on Monday, according to Franak Viačorka, a technical advisor to Belarusian opposition leader Sviatlana Tsikhanouskaya. Viačorka says he confirmed the database outages with Belarusian Railway workers. The railway’s online ticketing system was also taken down Monday; on Tuesday it displayed a message that “work is underway to restore the performance of the system” but remained offline.
“At the command of the terrorist Lukashenka, #Belarusian Railway allows the occupying troops to enter our land. We encrypted some of BR’s servers, databases, and workstations to disrupt its operations,” the Cyber Partisan hackers wrote on Twitter Monday, noting that the hackers were careful not to affect “automation and security systems” that could cause dangerous railway conditions.
Cybersecurity researchers have yet to independently confirm what sort of ransomware was used to encrypt Belarusian Railways’ systems. But a spokesperson for Cyber Partisans, Yuliana Shemetovets, wrote to WIRED that while the hackers’ permanently deleted some backup systems, others were merely encrypted and could be decrypted if the hackers provide the keys. Shemetovets added that the ransomware the hackers used “was specially created but based on common practice in this field.”
Using reversible encryption rather than merely wiping targeted machines would represent a new evolution in hacktivist tactics, says Brett Callow, a ransomware-focused researcher at security firm Emsisoft. “This is the first time I can recall non-state actors having deployed ransomware purely for political objectives,” says Callow. “I find this absolutely fascinating, and I’m surprised it didn’t happen a long, long time ago. It’s far more effective than waving placards outside a puppy testing lab.”
Ransomware—and destructive malware purporting to be ransomware—has certainly been used for political coercion in the past. North Korean hackers, for instance, planted destructive malware on machines across the network of Sony Pictures in 2014. Posing as hacktivists going by the name Guardians of Peace, they appear to have sent an email demanding payment prior to the attack, then pressured the company not to release the Kim Jong-un assassination comedy The Interview. In 2016 and 2017 the Russian hackers known as Sandworm, part of the country’s GRU military intelligence agency, used fake ransomware as a means to destroy computers across Ukraine—and ultimately hundreds of other networks around the world—while posing as profit-seeking cybercriminals. (Unidentified hackers appear to have targeted systems in Ukraine with the same tricks, on a much smaller scale, earlier this month.)