top of page

Details Of the Cyberattack On Grodno Azot

Grodno Azot is one of the largest enterprises in Belarus, a state-owned producer of nitrogen compounds and fertilisers. Since 2020, the management of this enterprise has engaged in political repression of employees and circumvented economic sanctions imposed by Western countries for supporting Lukashenko's regime. The systematic violation of human rights at Grodno Azot instigated a Cyberpartisan attack on 17 April 2024.


Screenshot from the official website of Grodno Azot after the Cyberpartisan attack
Screenshot from the official website of Grodno Azot after the Cyberpartisan attack

🔥 Operation of the boiler shop was disrupted.

🔥 Internal mail, document flow and hundreds of workplace computers were encrypted.

🔥 Backups (backups) of databases, servers, mail, document flow were destroyed.

🔥 Gained access to security systems and surveillance cameras.

🔥 The official website of the company was hacked.


 

How It Started


The Cyberpartisans were in the Grodno Azot network for several months. We conducted reconnaissance, obtained the information we needed and prepared the attack. For a long time, we studied the production processes of the enterprise so that our intervention would not harm ordinary employees and residents of Grodno.


Video from Grodno Azot checkpoint cameras
Video from Grodno Azot checkpoint cameras

During our time on the web we found quite a few interesting documents. For example, below is a document drawn up on behalf of the General Director of Grodno Azot - I. V. Lyashenko - which officially confirms the Cyberpartisan attack on BelZhD in February 2022, right after the Russian invasion of Ukraine.


Screenshot of an internal document of Grodno Azot OJSC
Screenshot of an internal document of Grodno Azot OJSC

At that time, our attack disrupted the movement of military echelons of Russian invaders. But it also affected other processes in the country, for example, it suspended the shipment of wagons with fertilisers in the sub-sanctioned enterprise "Grodno Azot". It is a rare case when our attack and its effectiveness is confirmed by the enemy side.



We Managed an Entire Enterprise


Over time, we penetrated the internal circuit of the Grodno Azot network - subnetworks of production control.


In this circuit it is possible to stop any workshop or production line. Even completely stop the operation of the enterprise. Of course, we did not consider such an option, as it could lead to a real catastrophe and harm civilians.


The Cyberpartisan participant responsible for this operation explains:

It was lucky that it was us who hacked and not some malicious people who could have caused a disaster. All production lines rely on energy, hot+cold water and steam. These products are "produced" in the boiler plant and the GTPP (gas turbine power plant). All of this was under our control.

The Cyberpartisans deliberately disrupted only the boiler shop, as we knew there were backup sources for power generation, and they would be able to take advantage of them. We had a good understanding of the internal processes of the plant and knew that this would not lead to dangerous consequences for people. But at the same time, we demonstrated our capabilities that we could really manage the operation of Grodno Azot.


The industrial controller control system of the boiler shop of Grodno Azot
The industrial controller control system of the boiler shop of Grodno Azot

Under Lukashenko, enterprises are under weak cyber defence, as there are not enough good specialists who would agree to work for the regime. This is a major security risk for all citizens of the country.


As one of the private cyberattackers shares:

The regime is protecting this network like a barn rather than an explosive enterprise. We have covered this issue with the BelNPP before. But the regime has not taken any significant steps to improve the security of such facilities.
Now we have covered this topic again, more vividly.


How the Attack Went


When we had sufficiently conducted cyber reconnaissance and obtained all the information we needed, we decided to launch an attack on Grodno Azot and encrypt all possible data.


By 9 a.m. on 17 April, the Cyberpartisans had encrypted hundreds of work computers. According to our calculations, between 500 and 1 thousand machines should have been infected. That's when we started wiping the data. In total, the company lost dozens of terabytes of information: databases, their backups, mail, document flow, etc. We wiped backup copies of the data.


Erasing data backups of Grodno Azot
Erasing data backups of Grodno Azot

Since the work of the internal network was seriously disrupted, the employees of the enterprise realised that an attack was being carried out. They even wrote about it on the official channel even before we reported the hack ourselves.


Screenshot of the news on 17.04.2024 from the Telegram channel "Grodno Chemist".
Screenshot of the news on 17.04.2024 from the Telegram channel "Grodno Chemist".

We also read internal correspondence of employees, where they discuss our attack, literally "live".


Screenshot of internal correspondence of Grodno Azot employees
Screenshot of internal correspondence of Grodno Azot employees

After the cyberattack was completed, we decided to disrupt the official Grodno Azot website as well. It is in fact only a showcase, the hacking of the site does not really interfere with the work of the enterprise. It was done to a greater extent so that anyone could see at least some of the results of our work. Usually, our subscribers are happy about it.


Screenshot from the official site of Grodno Azot after the attack of Cyberpartisans
Screenshot from the official site of Grodno Azot after the attack of Cyberpartisans

But the most serious consequences are, of course, the attack on the internal network of Grodno Azot, and the company has already recognised it very well.


The cyberattack on Grodno Azot is not only a punishment of the company's management for years of political repression of its employees, but also a warning for other enterprises and organisations in Belarus, which are also involved in similar activities. We clearly show that in one form or another, payback for the mockery of the Belarusian people can catch up (and will catch up sooner or later) everyone who participates in it. Today it is "Grodno Azot", tomorrow it may be the management of any other enterprise, institution, organisation, which violates the basic human rights to freedom of speech and expression in the Republic of Belarus.

Comentários


bottom of page