![](\"https:\/\/media.wired.com\/photos\/61f0392fb92104f9e83d16a1\/master\/pass\/Security-Belarus-Ransomware-1141629592.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Andy Greenberg| Date: Tue, 25 Jan 2022 21:28:23 +0000<\/strong><\/p>\n Andy Greenberg<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n For years, idealistic<\/span> hacktivists have disrupted<\/a> corporate and government IT systems in acts of protest. Cybercriminal gangs, meanwhile, have increasingly held hostage the same sort of enterprise networks with ransomware<\/a>, encrypting their data and extorting them for profit. Now, in the geopolitically charged case of a hacktivist attack on the Belarusian railway system, those two veins of coercive hacking appear to be merging.<\/p>\n On Monday, a group of Belarusian politically motivated hackers known as the Belarusian Cyber Partisans announced on Twitter<\/a> and Telegram that they had breached the computer systems of Belarusian Railways, the country's national train system, as part of a hacktivist effort the attackers call Scorching Heat. The hackers have since posted screenshots<\/a> that appeared to show their access to the railway\u2019s backend systems and claimed to have encrypted its network with malware, for which they would only provide decryption keys if the Belarus government met a list of demands. They\u2019ve called for the release of 50 political prisoners detained in the midst of the country\u2019s protests against dictator Alexander Lukashenko, as well as a commitment from Belarusian Railways to not transport Russian troops as the Kremlin prepares for a possible invasion of Ukraine on multiple fronts.<\/p>\n The hackers appear to have successfully made at least some of Belarusian Railways' databases inaccessible on Monday, according to Franak Via\u010dorka, a technical advisor to Belarusian opposition leader Sviatlana Tsikhanouskaya. Via\u010dorka says he confirmed the database outages with Belarusian Railway workers. The railway's online ticketing system was also taken down Monday; on Tuesday it displayed a message that \u201cwork is underway to restore the performance of the system\u201d but remained offline.\u00a0<\/p>\n \u201cAt the command of the terrorist Lukashenka, #Belarusian Railway allows the occupying troops to enter our land. We encrypted some of BR's servers, databases, and workstations to disrupt its operations,\u201d the Cyber Partisan hackers wrote on Twitter Monday, noting that the hackers were careful not to affect \u201cautomation and security systems\u201d that could cause dangerous railway conditions.<\/p>\n Cybersecurity researchers have yet to independently confirm what sort of ransomware was used to encrypt Belarusian Railways' systems. But a spokesperson for Cyber Partisans, Yuliana Shemetovets, wrote to WIRED that while the hackers\u2019 permanently deleted some backup systems, others were merely encrypted and could be decrypted if the hackers provide the keys. Shemetovets added that the ransomware the hackers used \u201cwas specially created but based on common practice in this field.\u201d<\/p>\n Using reversible encryption rather than merely wiping targeted machines would represent a new evolution in hacktivist tactics, says Brett Callow, a ransomware-focused researcher at security firm Emsisoft. \u201cThis is the first time I can recall non-state actors having deployed ransomware purely for political objectives,\u201d says Callow. \u201cI find this absolutely fascinating, and I\u2019m surprised it didn\u2019t happen a long, long time ago. It\u2019s far more effective than waving placards outside a puppy testing lab.\u201d<\/p>\n Ransomware\u2014and destructive malware purporting to be ransomware\u2014has certainly been used for political coercion in the past. North Korean hackers, for instance, planted destructive malware on machines across the network of Sony Pictures<\/a> in 2014. Posing as hacktivists going by the name Guardians of Peace, they appear to have sent an email demanding payment prior to the attack, then pressured the company not to release the Kim Jong-un assassination comedy The Interview<\/em>. In 2016 and 2017 the Russian hackers known as Sandworm<\/a>, part of the country's GRU military intelligence agency, used fake ransomware as a means to destroy computers across Ukraine\u2014and ultimately hundreds of other networks around the world<\/a>\u2014while posing as profit-seeking cybercriminals. (Unidentified hackers appear to have targeted systems in Ukraine with the same tricks<\/a>, on a much smaller scale, earlier this month.)<\/p>\n Even if the Cyber Partisans' ransomware turns out to be a thin disguise for irreversibly destructive malware, as in those earlier cases, the incident still seems to represent a new phenomenon. The group appears to be actual, bona fide hacktivists rather than state-sponsored hackers posing as such. \u201cAt the risk of maybe eating crow in a few years, the Cyber Partisans seem like a more authentic effort,\u201d says Juan Andres Guerrero-Saade, a researcher at security firm SentinelOne who gave a talk at last year's CyberwarCon conference about the state of modern hacktivism. \u201cWe've seen fake ransomware being used by fake hacktivism, but I don't think we've ever seen this tactic being used by real hacktivism in any way that I can recall.\u201d<\/p>\n The Cyber Partisans are genuine grassroots hacktivists, says Via\u010dorka, the technical advisor to Belarus' opposition party. Since last summer, the group has rampaged<\/a> through Belarusian state systems, breaching government and police databases and leaking their contents to show the inner workings of the government\u2019s crackdown on protestors and cover-up of Covid-19 infection rates. Via\u010dorka points out the group is a part of the Belarusian \u201cSupraciu,\u201d or \u201csolidarity,\u201d movement of political dissident activists calling for the overthrow of the dictatorial Lukashenko regime, and that Belarus designated that larger network as terrorists in November of last year<\/a>.\u00a0<\/p>\n He adds that while he and Belarus' opposition party have no connection to the Cyber Partisans, he fully supports their work. \u201cCyberspace has become the domain of battle in our fight for freedom,\u201d Via\u010dorka says. \u201cThis is not only their revenge on the regime but how we keep the regime accountable. [The Lukashenko regime] understands that everything they do, the decisions they make, the crimes they commit will be accounted.\u201d<\/p>\n Whether the Cyber Partisans' ransomware attack on Belarusian Railways will be a tactical success remains far from clear. Security researchers like Guerrero-Saade and Callow point out that hackers who create their own custom ransomware\u2014as the Cyber Partisans claim to have done in this case\u2014often make mistakes that allow their targets to decrypt their systems. Even Via\u010dorka argues that the ransomware is unlikely to affect Belarusian Railways' movement of troops to the Ukrainian border. \u201cThe problem of such actions is that they\u2019re very powerful, very disruptive, but they\u2019re one-time, and when you make such an attack it\u2019s very difficult to repeat,\u201d Via\u010dorka says.<\/p>\n Specific policy impacts, though, may only have been part of the broader objective. \u201cIt\u2019s too early to say if it was fully successful,\u201d writes Shemetovets, the Cyber Partisans spokesperson. \u201cThe goals that CPs set are hard to achieve, but it created a very serious pressure on the regime, disrupted the system, and showed that the dictator is not in control. It\u2019s too early to say if Russia troops were affected, but we hope that it will indirectly make an impact on their\u00a0movements.\u201d<\/p>\n In the larger view of hacktivism and ransomware, however, Guerrero-Saade argues that the Cyber Partisans' tactics could soon bleed out to other groups who see the power of ransomware to achieve political coercion\u2014for good and for ill\u2014and raise the stakes of Belarus' own political conflicts. \u201cThe looming horror of ransomware is precisely just how many systems are out there about whose criticality we don't understand until they're unavailable,\u201d Guerrero-Saade says. \u201cSo if this is a continued tactic of theirs, I think we'll definitely see a ratcheting up of the pressure on both sides.\u201d<\/p>\n