Earlier this week, a group calling themselves Belarusian Cyber-Partisans carried out a ransomware cyberattack targeting the Belarusian state railway network. The group claimed to have crippled many of the network’s automated systems in an attack that was timed to hamper the transfer of Russian troops into Belarus for military exercises.
In comments to RFE/RL’s Belarus Service, a spokeswoman for the group claimed they had demanded the release of 50 “political prisoners” in exchange for unlocking the railway’s systems. The group also demanded that the railway refuse to transport Russian military forces that could be used for an attack on Ukraine.
The spokeswoman also claimed the group has the capability — which it chose not to use — to shut down the railway’s signals system, potentially causing disastrous collisions.
The claims could not be independently verified. On January 25, the group posted on Twitter images of documents and screenshots that seemed to demonstrate the breadth of their access to the railway’s systems.
In statements, the state railway company has said the intrusion on the night of January 23 was minor and has only slowed the issuance of electronic tickets.
Brett Callow, a ransomware expert for the Emsisoft cybersecurity firm, told the IT-focused media outlet Wired on January 25 that he believes the Belarusian Cyber-Partisans attack was the first time “nonstate actors have deployed ransomware purely for political objectives.”
“I find this is absolutely fascinating, and I’m surprised it didn’t happen a long, long time ago,” he concluded.
Syarhey Vaytsyakhovich is a former Belarusian Railways employee and a labor organizer who says he was fired from the state company in April 2021 as retribution for his politics.
He told RFE/RL that the cyberattack was “a serious blow” to the railway system, affecting automated systems from payroll to cargo manifests to timetables.
“The problem with electronic tickets is trivial by comparison,” Vaytsyakhovich said. He added that much of the formerly automated work at the railway is now being carried out manually, producing serious slowdowns.
“All the archives have been destroyed,” he said. “It is impossible to see statistics for the last year or the last month. Nothing in electronic format remains. Some of the information could eventually be restored by gathering data from the tax service and other agencies.”
Vaytsyakhovich said the company was particularly vulnerable to the attack — which he claimed was the third such intrusion in the last six months — because many key workers have been dismissed in what amounts to a politically motivated purge carried out by the authoritarian government of longtime ruler Alyaksandr Lukashenka.
“There are almost no qualified specialists left in the IT department,” he said, noting that the same problem could make it more difficult for the company to recover from the incident.
Lukashenka has been under intense pressure from a mass opposition movement since a disputed presidential election in August 2020 triggered nationwide protests. The government responded with an often-brutal crackdown, mass arrests, and the persecution of many opposition supporters. The United States, the European Union, and other countries have refused to recognize the vote, joining the opposition calls for a new election and the release of all detainees.
Last year, Vaytsyakhovich alleged, security agencies compiled a list of about 1,000 railway employees for termination, a process he says has left remaining workers angry and demoralized.
“The workers are glad this is happening,” he told RFE/RL. “They are angry and upset with management because people are being fired, and extra work is being piled onto those who remain.”
The cyberattack occurred against the background of heightened fears that Russia might invade Ukraine, which denies it is preparing to launch a new offensive, has amassed more than 100,000 troops near the Ukrainian border and is planning a major military exercise with Belarus in February.
On January 21, the Belarus Railways’ Telegram channel posted that 200 Russian military trains with an average length of 50 cars would enter the country as part of the exercises on February 10-20, and that 33 had already crossed the border. According to Belsat, only 29 trains arrived from Russia for the same exercise in 2021.