Threat Research

Hacktivist group shares details related to Belarusian Railways hack

Securonix

The Belarusian Cyber Partisans disclosed documents related to a railway-targeting incident and discussed that Curated Intelligence member SttyK would study the methods used. The published material outlines an incident aimed at hindering operations and details tainted assets and tools used during the attack. #BelarusianCyberPartisans #BelarusianRailways

Keypoints

  • The Belarusian Cyber-Partisans claimed responsibility for a limited attack against Belarusian Railways intended to hinder Russian troop movements in Belarus.
  • Curated Intelligence obtained documents from the group, which the firm says would help SttyK “understand some of the methods used.”
  • The Stolen Incident Response Report notes the initial compromise dated 14 March 2021 and that the victim was the Academy of Public Administration under the President of Belarus.
  • Initial access cited includes a BlueKeep RCE (CVE-2019-0708) in RDP on Windows Server 2008 R2.
  • Attackers used proxy and tunneling tools (3proxy[.]ru, Chisel) and VPS-based hosting to conceal activity and enable persistence.
  • Credential dumping (Mimikatz), network discovery (Nmap), and remote execution (PsExec) were among the techniques described.
  • Data deletion from live and backup systems was reported, indicating destructive impact on employee data.

MITRE Techniques

  • [T1133] External Remote Services – Initial access via BlueKeep RCE (CVE-2019-0708) in RDP. “Initial access via BlueKeep RCE (CVE-2019-0708) in RDP in a Windows Server 2008 R2 system.”
  • [T1021] Remote Services – Lateral movement using RDP to move laterally and reach the Domain Controller. “Use RDP to move laterally.”
  • [T1485] Data Destruction – Deleting data from live and backup systems. “Deleted data (such as employee records) from live and backup systems.”
  • [T1003] Credential Dumping – Dump LSASS using Mimikatz. “Mimikatz to dump LSASS.”
  • [T1046] Network Service Scanning – Identify systems with Nmap to discover targets (Port 3389 open). “Nmap to identify systems (used Nmap to identify systems with Port 3389 open).”
  • [T1059] Command and Scripting Interpreter – Use of Impacket tooling to execute commands remotely. (Referenced as “Impacket” in the materials.)
  • [T1572] Protocol Tunneling – Chisel used for tunneling communications. “Chisel – https://github.com/jpillora/chisel.”
  • [T1090] Proxy – Use of 3proxy[.]ru and VPS proxy to hide C2 communications. “3proxy[.]ru” and “VPS Proxy.”

Indicators of Compromise

  • [SHA256] context – 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71, bae88a899f41ddce157ed42a2a5f800cd00fcbc400a98a11a9563976ef4c9655
  • [File name] context – RemoteAdmin.exe, psexec.py
  • [Domain] context – 3proxy[.]ru, 3proxy.ru

Read more: https://www.curatedintel.org/2022/01/hacktivist-group-shares-details-related.html