Threats

Belarusian hackers launch another attack, adding to chaotic hacktivist activity around Ukraine

This is just the latest hacktivist activity related the intensifying Russian attack on Ukraine.

February 28, 2022

An image posted by the Belarusian Cyber Partisans announcing the group's latest hack on the Belarusian Railways. (Telegram screenshot)

A group of Belarusian hackers and IT specialists claimed Sunday that they’d attacked the Belarusian Railways in an attempt to “slow down the transfer of occupying forces and give the Ukrainians more time to repel the attack,” according to a Google translation of the message posted to the group’s Telegram channel.

The hackers — who call themselves the Cyber Partisans and have targeted Belarus’ autocratic government and its leader, Alexander Lukashenko, dating back to September 2020 — said Sunday their hack “paralyzed” some railway operations in the Belarusian capital of Minsk and in Orsha, an eastern Belarusian city between Moscow and Misk. Some railway operations were switched to manual mode, the group said, “which will significantly slow down the movement of trains, but will NOT create accidents.”

“The internal network will be disconnected until the Russian troops leave the territory of Belarus and the participation of the Belarusian military forces in the fascist aggression ceases,” the group wrote.

The extent and duration of the disruption is unclear. Bloomberg reported Sunday that some systems had been restored while others weren’t operating and external train network websites were down, making it difficult to purchase tickets. The Independent reported that data on routing and switching devices had been encrypted.

On Feb. 24 the group tweeted that Ukrainians and Belarusians had “a common enemy: Putin, Kremlin, the imperial regime,” and asked for volunteers and financial donations.

This is the second time the Cyber Partisans have apparently attacked the Belarusian Railways. In late January the group said it breached the agency’s networks, encrypted data, and demanded the expulsion of Russian troops and the release of political prisoners.

A chaotic picture

The Cyber Partisans’ attack is just the latest in a string of incidents in the increasingly chaotic independent cyber group portion of the intensifying Russian military attack on Ukraine. While the cyberattacks associated with governments have so far been a string of seemingly minor distributed denial-of-service (DDoS) attacks in Ukraine and abroad — apart from wiper malware deployed against some Ukrainian government systems ahead of Russia’s invasion — hacktivists and others have seemingly pulled off a series of high-profile if ultimately minor DDoS and defacement attacks of their own.

Various Twitter accounts operating under the broad and highly decentralized banner of Anonymous have claimed various hacks, such as renaming Russian President Vladimir Putin’s yacht to “FCKPTN,” and temporarily limiting access to Russian broadcaster RT’s website.

And at least two ransomware groups — Conti and the CoomingProject — pledged Friday to attack Russia’s enemies, adding a new and complicated wrinkle to the mix. Conti’s public position apparently upset someone with access to the group’s data: A major leak of Conti data appeared Sunday, including hundreds of files outlining the group’s training, recruitment, and chat logs. “Glory to Ukraine!” the leaker posted in a message linking to the materials.

Other ransomware groups, such as ALPHV, pledged neutrality. Russian vigilante hackers are also trying to get involved, according to the BBC.

Complicating matters further, the Ukrainian government put out a list of Russian-related targets for the volunteer “IT Army” Telegram channel that has more than 175,000 subscribers, although it’s impossible to tell how many of these volunteers are doing any actual hacking on Ukraine’s behalf. On the defensive side, Ukraine’s Ministry of Foreign Affairs said it was moving its IT infrastructure to a different location amid cyberattacks, leading to embassy website outages.

Experts worried that the hacktivist activity would only make things worse, and could escalate matters.

“Anyone not working on behalf of a government having serious conversations about ‘hacking back’ or launching cyber attacks against Russia please understand — respectfully — you’re an idiot and only going to make matters worse,” Robert Lee, the founder and CEO of industrial cybersecurity firm Dragos, tweeted Friday. “Cyber is inherently escalatory and it doesn’t matter how good it makes you feel it’s irrelevant in the current situation. People are getting shot and bombed. The invasion is underway. This isn’t the time for your cowboy bullshit.”

Stefan Soesanto, a cybersecurity defense researcher with the Center for Security Studies, tweeted last week that he hopes the Cyber Partisans and other volunteers “are not operating out of any EU/NATO country,” as “Moscow/Minsk might end up classifying them as enemy combatants in this war.”