Belarusian Cyber-Partisans

Belarusian Cyber Partisans is a Belarusian hacktivist group that emerged after the 2020 mass protests in Belarus against President Alexander Lukashenko. The group is described in the provided content as anti-regime, anti-Russian, and pro-Ukraine, and has conducted cyber operations against Belarusian and Russian government institutions, critical infrastructure, and transportation targets. Known alias in the content: Belarusian Cyber-Partisans. The group has carried out high-profile operations against Belarusian state institutions and the Belarusian railway network. In January 2022, it claimed responsibility for an attack on the Belarusian national railway company intended to hinder Russian troop movements inside Belarus; the railway’s e-ticket systems were disrupted. Separate reporting in the content states the group conducted a ransomware attack on Belarusian Railway information systems and demanded political concessions rather than money, including the release of 50 political prisoners and the withdrawal of Russian troops. The group also announced it had targeted the Belarusian railway in support of Ukraine and in protest at Belarus’s involvement in Russia’s invasion. The content also attributes operations against Russian targets to the group. Russia is seeking to designate Belarusian Cyber Partisans as an extremist organization and ban its activities in the country. The move followed claimed cyberattacks targeting Russian and Belarusian critical infrastructure and government institutions, including a July 2025 attack on Aeroflot conducted together with Silent Crow. According to the provided content, that operation disrupted more than 100 flights, affected roughly 20,000 passengers, and the attackers claimed to have destroyed Aeroflot’s IT infrastructure and exfiltrated sensitive data including flight records, internal call recordings, and employee monitoring data. The group has also stated that it shared information obtained from hacked Russian entities with Ukrainian intelligence services and Western organizations. Technical details in the content from a prior Belarusian government intrusion indicate the group used BlueKeep (CVE-2019-0708) for initial access via RDP on Windows Server 2008 R2, then used tools including 3proxy, Chisel, Nmap, and Mimikatz. Reported tradecraft included dumping LSASS credentials, lateral movement over RDP, TCP port forwarding to expose RDP for persistence, and deletion of employee and backup data. The group has also previously conducted government website defacements. One source in the content describes the group as consisting of 15 self-taught hacktivists with alleged support from disaffected Belarusian security forces. Another source references Belarusian Cyber Partisans as an example in broader discussion of hacktivist and state-front activity, but the provided content does not directly attribute the group to a state sponsor. Silent Crow is mentioned as a separate group that collaborated with Belarusian Cyber Partisans on the Aeroflot attack, not as an alias or subgroup.