The online service InformNapalm Community reported on January 24, 2022 that on the Russian news service Telegram, a group called Cyber Partisans claimed responsibility for the attack. It reads: “As part of the “Peklo” (translated: Hell, the editorial staff) cyber campaign, we encrypted the bulk of the servers, databases and workstations of the BelŽD in order to slow down and disrupt the operation of the railroad. The backups were destroyed. Dozens of databases have been subjected to cyberattacks, including AS-Sledd, AS-USOGDP, SAP, AC-Pred, pass.rw.by, uprava, IRC, etc. Automation and security systems were deliberately NOT affected by a cyber attack in order to avoid emergency situations.”
Backups have been deleted…
Reports state that the attack also affected freight trains. The group wrote on Twitter on the same day: “Cyber-Partisans@cpartisans: We have encryption keys, and we are ready to return Belarusian Railroad’s systems to normal mode. Our conditions: – Release of the 50 political prisoners who are most in need of medical assistance. – Preventing the presence of Russian troops on the territory of #Belarus.” The main goal: to overthrow the regime of the Belarusian ruler Lukashenko, “to preserve sovereignty and build a democratic state with the rule of law, independent institutions and the protection of human rights.”
In fact, the screenshots published by the “Hack-tivists” seem to confirm that they were on official computers of the Belarusian Railway when the pictures were taken. A screenshot shows that a memory with a backup is about 28 percent formatted – the data will be deleted. Screenshots of BelŽD’s official website bear the notice that “due to technical reasons” reference web resources of the State Railway “and services for issuing electronic travel documents are temporarily unavailable”.
… and the “analogue” ticket offices have more work to do
A screenshot of our editorial team from today shows the following entry on the same website: “Due to technical reasons, the return of electronic travel documents processed on the web resources of the Belarusian railway by January 24, 2022 is not accessible. For the return of travel documents, we ask that you contact the ticket office. We apologize for the inconvenience caused.” Apparently, the BelŽD was in fact unable to recover any data about events before January 24th. And the data packets encrypted by the hackers are not available because the Belarusian leadership is not responding to the hackers’ political demands.
The “cyber partisans” are attributed to a movement of political dissidents operating under the name of “Solidarity”, which calls for a democratic government in Belarus. After several attacks on various government computers, the group was labeled “terrorists” by the official state leadership in November 2021. However, the group behaved towards the Belarusian state railway as a “gentlemen’s hacker” and did not intervene in the railway technology. So the permanent damage should be small.
Perhaps the Belarusian State Railway has given itself a “digital jolt” in the meantime? Among the documents released by the hackers is an official order from the Ministry of Transport that the heads of the design-technical center and the information protection center of the state railway should “ensure the indispensable connection and operability of data transmission channels through the unified republic network of data transmission” between the state railway and the General Staff of the Army. Although this order number 201NZ dates from March 11, 2021, and is based on order number 155NZ from February 13, 2015, apparently not much happened in this regard.
“Gentlemen’s Hacker” as David vs. Goliath
Juan Andrés Guerrero-Saade, a senior threat researcher at security firm SentinelOne, points out: “This is an interesting twist in the ransomware narrative. Until now, we have viewed ransomware as a financial problem for companies, rather than a tool for the underdog in a revolutionary struggle.”
In fact, cybercriminals have so far used hacking attacks with data encryption to extort money payments. Hacker groups attributed to state secret services attacked official servers in other countries with the aim of data theft or sabotage. But hacker attacks to blackmail democratic demands, that’s a novelty. At the same time, Western security authorities point out that because of Russia’s military activities in Ukraine, there is also a greater risk of Russian cyber attacks on Western infrastructure. This could also affect companies in the transport industry. That’s why you should be particularly careful when handling your own data.
Hermann Schmidtendorf, Editor-in-Chief
