For years, idealistically hacktivists breached corporate and government IT systems in protest. Meanwhile, cybercriminal gangs are increasingly holding the same kind of corporate networks hostage with ransomware, encrypting their data and extorting them for profit. Now, in the geopolitically charged case of a hacktivist attack on the Belarusian railway system, these two veins of forced hacking appear to be converging.
On Monday, a group of Belarusian politically motivated hackers known as the Belarusian Cyber Guerrillas announced on Twitter and Telegram for breaching the computer systems of Belarusian Railways, the country’s national train system, as part of a hacktivist effort the attackers called Scorching Heat. Hackers since then post screenshots which appear to show their access to the railway’s backend systems and claim to have encrypted their network with malware for which they would only provide decryption keys if the Belarusian government met a list of demands. They called for the release of 50 political prisoners held amid the country’s protests against dictator Alexander Lukashenko, as well as a commitment from Belarusian Railways not to transport Russian troops as the Kremlin prepares for a possible multi-front invasion of Ukraine.
Hackers appeared to have made at least some of the Belarusian Railways databases inaccessible on Monday, according to Franak Vyachorka, a technical adviser to Belarusian opposition leader Svetlana Tsikhanovskaya. Viačorka says he confirmed the database outages with Belarusian Railways workers. The railway’s online ticketing system was also brought down on Monday; on Tuesday it showed a message saying it was “working to restore system performance” but remained offline.
“On the order of the terrorist Lukashenko, the #Belarusian railway allows occupation troops to enter our land. We have encrypted some of BR’s servers, databases and workstations to disrupt its operations,” hackers from Cyber Partisan wrote on Twitter on Monday, noting that the hackers were careful not to affect “automation and security systems.” which could cause unsafe rail conditions.
Cybersecurity researchers have yet to confirm whatever type of ransomware was used to encrypt Belarusian Railways systems. But a spokeswoman for Cyber Partisans, Juliana Shemetovets, wrote to WIRED that while the hackers have permanently wiped some backup systems, others are simply encrypted and can be decrypted if the hackers provide the keys. Shemetovets added that the ransomware used by the hackers was “specially created, but based on common practice in this field.”
Using reversible encryption instead of simply wiping target machines would represent a new evolution in hacktivist tactics, says Brett Callow, a ransomware-focused researcher at security firm Emsisoft. “This is the first time I can recall that non-state actors have deployed ransomware purely for political purposes,” says Callow. “I find that absolutely fascinating and I’m surprised it didn’t happen a long, long time ago. This is much more effective than waving posters in front of a puppy testing lab.
