Cyber Incident Victim: Belarus
Date:
Feb 2022
Location:
Belarus
Summary
Activist hackers known as the Cyber Partisans compromised control systems of the Belarusian railway network, encrypting critical data on routing and switching devices to render them inoperable. This disruption halted train operations in multiple cities including Minsk, Orsha, and Osipovichi, aiming to impede the movement of Russian military forces into Ukraine.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 27, 2022, the activist hacker group Cyber Partisans claimed responsibility for a cyberattack targeting Belarusian railway infrastructure. The group breached computer systems controlling train operations, specifically compromising routing and switching devices critical to network functionality. By encrypting data stored on these devices, the hackers rendered them inoperable, disrupting rail traffic in multiple locations. The attack caused trains to halt in the capital city of Minsk, the northeastern city of Orsha, and the town of Osipovichi in central Belarus. This operational disruption directly impacted the physical movement of trains across affected segments of the national rail network.

The Cyber Partisans publicly stated their objective was to impede Russian military forces from utilizing Belarusian railways for troop or equipment movements into Ukraine amid the ongoing invasion. The group framed the attack as resistance against Belarus’s logistical support for Russian military operations. No technical details regarding the initial breach vector, duration of encryption, or specific malware used were disclosed in available reporting. The incident demonstrated direct interference with industrial control systems governing transportation infrastructure, linking cyber operations to tangible physical disruptions. Railway authorities did not release immediate statements confirming service restoration timelines or operational recovery measures following the attack.
