Escalation on Ukrainian border leads to spike in ransomware and data leaks against Russia and Belarus

Quick Take

  • As the international community struggles to respond to the Russian military buildup on the Ukrainian border, independent hackers seem to be stepping in as a sort of digital resistance.
  • Cybersecurity experts anticipate more data leaks and ransomware attacks against political targets in the region. 

A wave of ransomware and data extraction attacks is building alongside Russian troops on the Ukrainian border. 

On January 24, a Belarusian hacktivist group called “Cyber Partisans” announced that it had captured elements of Belarusian Railways’ IT system via ransomware. 

Earlier activities by Cyber Partisans included modding Telegram to circumvent government restrictions. They are also associated with dissident media, including Nexta. 

The ransom the group demanded was, consequently, unusual: The release of 50 high-risk political prisoners and the refusal to allow Russian soldiers to continue to use Belarusian rails in a widescale buildup around the Ukrainian border.

The Ukrainian border has been at the center of geopolitical tensions as the Russian military continues to amass forces, seemingly in preparation for war. Leaders of both countries have denied that armed conflict is coming, but that has not done much to allay fears of what could be the first mass land war in Europe since World War II.

The situation has provoked responses from the international community. But among cyberactivists taking matters into their own hands, Cyber Partisans are hardly alone. 

On January 19, a hacker on Raid Forums first published nine gigabytes of internal data from major Russian defense contractor Almaz Antey. The leak was first publicized by news outlet Readovka. The Raid Forums user behind the leak said he was “returning the favor” for pro-Russian attacks on Ukrainians. They subsequently published more leaks from other contractors.

Cybersecurity experts say this is not the end. 

“Analysts expect a growing intensity of such leaks and attacks in the coming days,” an analyst for cybersecurity firm Flashpoint told The Block. “Flashpoint has observed a variety of viewpoints expressed by threat actors on Russian-speaking forums in the past years, suggesting that there is a possibility of back-and-forth offensive activity even without the direct involvement of state-backed groups.”

Flashpoint further noted, however, the recent return of previously published data leaks focusing on targets in Russia, Ukraine and Belarus. The increased attention, they say, means greater opportunities for financial gain. “Therefore, in the upcoming days and/or weeks there will likely be a number of previously published databases resurfacing in various communities,” the analyst continued.

Hacking has taken on a geopolitical dimension in Eastern Europe, especially Russia, in recent years. 2021 saw US President Joe Biden put Russia's ecosystem of ransomware gangs at the center of the relationship between the two countries. Earlier this month, Russian authorities conducted a widescale raid on REvil, one of the most notorious of those gangs. 

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.