Cyber Incident Victim: Belarusian Railway
Date:
Jan 2022
Location:
Belarus
Summary
A hacktivist group known as Belarusian Cyber-Partisans encrypted servers, databases, and workstations of Belarusian Railway to disrupt operations, citing opposition to Russian military movements facilitated by the rail network. The attackers claimed to avoid impacting automation and security systems to prevent emergencies but compromised internal systems including domain controllers, backup servers, and online ticket services, causing temporary unavailability of electronic travel document issuance. The group demanded the release of 50 political prisoners and withdrawal of Russian troops from Belarus, offering to restore systems in exchange. This incident was part of a broader campaign labeled "Inferno," following prior attacks on another government-affiliated institution.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 24, 2022, the Belarusian Cyber-Partisans hacktivist group claimed responsibility for encrypting servers belonging to the Belarusian Railway, the state-owned national rail operator. The attackers stated their action was a direct protest against the railway's role in facilitating Russian military movements into Belarus, alleging the company complied with orders from President Alexander Lukashenko to transport Russian troops and equipment. The group encrypted portions of the railway's infrastructure—including servers, databases, and workstations—but deliberately avoided compromising automation and security systems to prevent life-threatening emergencies. They announced possession of the encryption keys and offered to restore systems if two demands were met: the release of 50 political prisoners requiring medical care and the withdrawal of Russian military forces from Belarus. The hackers publicized their claims via Twitter and Telegram, where they shared screenshots as evidence of access to internal systems such as Veeam backup servers, a Windows domain controller, and a backup server reportedly containing tens of terabytes of data slated for destruction. One image depicted an SQL query error affecting the railway's online ticket service, corroborating operational disruption.
The attack caused immediate functional impairments, prompting Belarusian Railway to issue a public notice acknowledging technical issues affecting electronic ticket sales and advising passengers to use physical ticket offices while restoration efforts continued. No official statement attributed the outage to cyberattacks, but the timing aligned with the Cyber-Partisans' announcement. The group framed this incident as part of "Inferno," a broader sabotage campaign they described as the largest of its kind in Belarusian history, referencing a prior November 2021 attack where they allegedly encrypted the network of the Academy of Management under the President. While the railway's operational continuity measures mitigated total paralysis, the compromise demonstrated access to critical administrative and backup infrastructure, highlighting vulnerabilities in a strategically vital state entity. The incident underscored the intersection of geopolitical tensions and hacktivist operations during a period of heightened regional instability.