Details emerge on hack of Belarusian Railways and the group behind it

The hackers posted "proof" of their hacks, and researchers have started to dig in.
Belarusian Cyber Partisans document leak
Detail from a document leaked Jan. 25, 2022, by the Belarusian Cyber Partisans. The group said the image is "An internal document recently exchanged between a Belarusian railway lead engineer and a Russian railway head of IT department." (Belarusian Cyber Partisans / Twitter)

In the days after a group of Belarusian hackers announced they’d breached the network of the country’s railway system, encrypted data and demanded the expulsion of Russian troops and the release of political prisoners, a lot remains unclear.

But the Belarusian Cyber Partisans, the hacktivist group behind the attacks, posted a series of screenshots to Twitter Monday afternoon showing what they say show “internal assets and docs” from the hack. The group also seemed to troll Belarusian Railways with a screenshot claiming that the agency’s employees “frequently used pirated software. Do you think it’s connected to how they got hacked?” the group asked.

It’s unclear the the extent to which the group’s hack did any lasting damage to the railway agency, or succeeded in its goals. Train service may have temporarily been affected, a local news report suggests, as well as online ticketing systems. Some of those systems were back online Wednesday morning, Belarusian Railways said in a statement posted to its website, but some work “continues.”


A person identified as the spokesperson for the group told CyberScoop that the Cyber Partisans “assess this attack as successful,” even as the full results are not yet known. “What we see (disrupted schedules, databases and systems that are still down, chaos in the Railways) shows that the regime is affected,” they said in a message late Tuesday. In a previous message, the spokesperson said even if the attack “can indirectly bring the desired results, it will be more than enough.”

The spokesperson had previously said that while some databases have been destroyed, others were merely encrypted, and that they could be decrypted if the political demands are met.

Earlier Tuesday the group shared details from one of its earlier hacks with a researcher with Curated Intelligence, a private network of information security analysts and researchers who come together to research and publish information related to cybersecurity matters.

The researcher had asked for a sample of the malware used in the Belarusian Railways attack. The Cyber Partisans declined the request, but shared a Belarusian government incident report detailing a Cyber Partisans hack from March 2021 that the group detailed in a November 2021 YouTube video. Researchers with Curated Intelligence used the report to detail some of the Cyber Partisans’ tactics, techniques and procedures, that include the use of known hacking tools such as Impacket, Chisel, Mimikatz and others.

“What our report shows is that they are a serious group that knows how to hack and uses common techniques,” William Thomas, a member of Curated Intelligence and one of the authors of the report told CyberScoop. Based on the incomplete details in the incident report, it’s clear that “these guys could do serious damage down the road.”


Steve Ragan, a member of Curated Intelligence, said Cyber Partisans are seeking attention for their political goals, and urged caution when trusting claims such as collaboration with current government employees, or any other claims the group makes.

Nevertheless, “they’re dedicated, they’re very focused on what they want to do,” Ragan said. They’re “knowledgeable. These are not just common, run-of-the-mill people. They know what tools they’re needing to use, they know how to use the tools, or they know how to obtain the information to use those tools.”

They’re a “noteworthy threat or risk to any environment,” he said. “They’re very much a threat to pay attention to.”

The hack and leak operation lands amid increasing regional military tensions and what the U.S. government believes is an imminent Russian invasion of Ukraine.

The group has been around since September of 2020, forming a month after the disputed reelection of Alexander Lukashenko, an authoritarian who has held power since 1995. A group of about 15 IT experts who left the country after the election, in conjunction with remaining members of the government security agencies, formed the group to expose Lukashenko’s corruption and drive him from power, one of the members told MIT Technology Review in August.


A manifesto posted by the group in August of 2021 says Lukashenko “has been committing particularly grave crimes against the people of Belarus for the past 26 years.” The members declared “the beginning of the fight against Lukashenko’s criminal group which has usurped and is holding power in the territory of the Republic of Belarus by violence and terror, by all available means, until the enemy is defeated.”

Belarusian security forces arbitrarily detained thousands of people and tortured hundreds of others in the days following the 2020 election, according to Human Rights Watch, which the Cyber Partisans spokesperson referenced when asked if Monday’s hack risked retaliation.

“Thousands are still in prisons, around [10,000] people went through torture, 20 people are dead, many had to flee the country and the suppression don’t stop,” the spokesperson told CyberScoop. “So [Cyber Partisans] are doing what they can to stop the dictatorship regime.”

The group wants all political prisoners released, the spokesperson said, but “especially those whose medical condition [has] deteriorated and who can simply die if they are not treated properly and on time.”

The group has previously hacked and leaked documents purporting to show the corruption of the regime, sharing the data with journalists or posting it themselves. The data has included apparent corrupt business dealings involving Lukashenko and data showing inaccurate public statements about COVID-19 deaths.


In November 2021 the Belarusian Supreme Court declared the Cyber Partisans and two other pro-democracy groups a “terrorist movement.”

Latest Podcasts