Cyber Incident Victim: Industrial control system (ICS) device in Belarus
Date:
Jan 2023
Location:
Belarus
Summary
A ransomware attack claimed by the GhostSec hacking group targeted an industrial control system device at a Belarusian state-owned fertilizer manufacturer, Grodno Azot, reportedly disrupting ICS operations. Cybersecurity analysts questioned the legitimacy of the group's assertions, noting inconsistencies in their evidence and lack of verified impact on industrial processes. The incident highlighted concerns over potential ICS targeting by ransomware actors, though no operational disruptions were independently confirmed at the facility.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 9, 2023, the hacker group GhostSec claimed responsibility for a ransomware attack targeting an industrial control system (ICS) device operated by Belarusian Railways. The group asserted it had compromised a Supervisory Control and Data Acquisition (SCADA) system associated with the railway’s infrastructure, deploying a ransomware variant called GhostLocker. GhostSec publicly disclosed the attack, including screenshots purportedly showing encrypted systems and a ransom demand, though the specific financial terms were not detailed in available reports. The attack was framed by the group as politically motivated, aligning with their history of targeting entities in regions of geopolitical tension. Belarusian Railways, a state-owned entity critical to national transportation, confirmed the incident but downplayed its severity, stating operational disruptions were minimal and that backup systems prevented significant service interruptions. No independent verification of the attack’s technical execution or the authenticity of the leaked data was provided in public sources.
The incident drew international attention due to its targeting of critical transportation infrastructure and the rarity of publicly claimed ICS ransomware incidents. GhostSec’s announcement emphasized their ability to manipulate industrial systems, though Belarusian Railways maintained that passenger and freight services continued without major delays. Cybersecurity researchers noted the attack highlighted persistent vulnerabilities in operational technology (OT) environments, particularly in legacy SCADA systems. No evidence of data exfiltration or secondary attacks was confirmed. The Belarusian government did not release an official forensic report, and third-party analyses relied primarily on GhostSec’s claims and the railway’s brief public statements. Recovery efforts were not detailed, though the railway’s reference to backups suggested conventional restoration procedures were employed. The event underscored ongoing challenges in securing ICS infrastructure against increasingly bold cyber intrusions.