Cyber Threat Actor: Belarusian Cyber Partisans

The Belarusian Cyber Partisans, also known as Cyber Partisans or BP, are a hacktivist group based in Belarus that describes itself as a collection of former IT specialists with deep ties to the country’s government. Their stated aim is to topple President Alexander Lukashenko’s regime by exposing corruption, human rights abuses and state surveillance activities. They have conducted operations against both Belarusian and Russian targets, focusing on government ministries, transportation infrastructure, airline systems and civil registries, with objectives that include disrupting logistics supporting Russian military movements, exfiltrating sensitive documents to undermine authority and pressuring authorities to meet political demands such as the release of prisoners and withdrawal of foreign troops.

Their observed tactics involve encrypting servers, databases and workstations to render critical systems inoperable while deliberately avoiding automation and safety controls to prevent emergencies. They have compromised routing and switching devices on railway networks by encrypting stored data, gained access to domain controllers, backup servers and Veeam backup environments, and exploited a previously unexploited vulnerability to breach a Russian internet regulator’s network. The group has exfiltrated employee passport data, medical records, internal emails, surveillance project details and intercepted audio recordings of foreign embassy communications, often sharing proof of access via screenshots on Telegram and threatening to release the material to journalists or the public. They have also claimed possession of large volumes of voice call data, describing it as roughly 1.5 terabytes equivalent to 50,000 hours of recordings involving tens of thousands of organizations and individuals.

Notable operations include the encryption of Belarusian Railway systems in early 2022 to impede Russian troop movements into Ukraine, the alleged year‑long compromise of Aeroflot’s network in mid‑2025 that disrupted flights and threatened passenger data exposure, and the 2022 breach of Roskomnadzor’s General Radio Frequency Center where they accessed internal documents concerning surveillance of journalists and online dissent. Earlier actions involved the release of intercepted Ministry of Internal Affairs audio in mid‑2022 and the 2021 exposure of COVID‑19 mortality data from the national civil status system that revealed figures far exceeding official reports. The group has linked several of these actions to a broader campaign they call “Inferno,” describing it as the largest series of sabotage cyberattacks in Belarusian history. Publicly available sources describe them as an anti‑government hacktivist collective without evidence of state sponsorship or criminal consortium affiliation.