In January 2022, a small group of anonymous Belarusian hackers infiltrated the computer systems of Belarusian Railways and forced the network to revert to paper-based operations. The target was not the railway itself but the Russian military equipment flowing through Belarus toward Ukraine’s northern border in preparation for what Moscow was still calling joint military exercises. The Belarusian Cyber Partisans, a hacktivist collective numbering roughly 60 members, had disrupted the logistics of a continental military power without firing a shot, detonating a charge, or crossing a single border.
The railway hack is the most widely cited example of a broader phenomenon: the emergence of sabotage conducted through digital means by resistance movements operating against authoritarian states. From Belarus to Ukraine to Myanmar, non-state actors are weaponizing technical skills, open-source intelligence, and network vulnerabilities to achieve effects that previously required physical access to targets. This form of resistance occupies an evolving space at the intersection of hybrid warfare, hacktivism, and the underground resistance tradition.
The Belarusian Cyber Partisans: A Case Study
The Cyber Partisans emerged in September 2020 in the wake of mass protests against Alexander Lukashenko’s disputed presidential election. The initial membership consisted of roughly 15 Belarusian IT professionals, none of them professional hackers, who decided to apply their technical expertise against a regime that had violently suppressed street protests. Their early operations were symbolic: defacing state news websites to broadcast footage of police brutality, inserting the white-red-white opposition flag onto government portals, and placing Lukashenko on a police most-wanted list.
The group’s capabilities matured rapidly. In July 2021, the Cyber Partisans breached the Belarusian Ministry of Internal Affairs’ most sensitive databases, obtaining nearly two million minutes of recorded phone conversations, lists of police informants, personal data on government officials, and video footage from drone cameras and detention facilities. The data confirmed what independent observers had estimated: excess mortality during the COVID-19 pandemic in Belarus was approximately 32,000, a figure 14.4 times higher than the government’s official count.
By 2023, the group had penetrated the Belarus KGB’s computer network, compromising files on 8,600 employees and suppressing the KGB network for at least two months. In 2025, they disrupted Grodno Azot, Belarus’s largest state-run fertilizer manufacturer, gaining access to internal cameras, documents, emails, and even heating systems not connected to the internet. In July 2025, the Cyber Partisans collaborated with the Ukrainian hacker group Silent Crow to breach Russian state airline Aeroflot’s IT infrastructure, causing flight delays and cancellations. Each operation reflected growing sophistication in both technical execution and target selection.
Operational Methodology
The Cyber Partisans’ spokesperson, Yuliana Shemetovets, has described two primary operational approaches that parallel conventional military concepts. The first is what the group calls sabotage attacks: penetrating a network, executing specific tasks, and withdrawing while leaving dormant malware that can be activated later. The second is a persistent presence model, referred to internally as “holding the front line,” which focuses on maintaining undetected access to target systems over extended periods to extract intelligence continuously.
This dual methodology maps onto the traditional intelligence distinction between covert action and sustained collection. The railway disruption in January 2022 was a sabotage operation designed for immediate tactical effect. The long-term penetration of KGB systems served an intelligence function, providing data to journalists, human rights investigators, and, reportedly, Ukrainian intelligence services. The Center for European Policy Analysis (CEPA) has assessed that the Cyber Partisans function less like a traditional hacktivist group and more like an amateur intelligence service with a political mandate.
The group operates under strict security protocols. Members are anonymous even to each other. Recruitment involves rigorous vetting to filter potential infiltration by Belarusian or Russian intelligence services. Most members operate from exile in Lithuania, Poland, and other EU countries, though the group maintains that some members remain inside Belarus. The organizational structure resembles what social network analysis would classify as a cell-based network with compartmented knowledge, a pattern common to historical espionage and subversion operations.
Digital Resistance Operations Timeline
Ukraine’s IT Army: A Different Model
Ukraine’s approach to digital resistance differs fundamentally from the Belarusian model. In the first days of the 2022 Russian invasion, Ukraine’s Ministry of Digital Transformation publicly recruited international volunteers into what it branded the “IT Army of Ukraine,” a government-coordinated force that at its peak mobilized thousands of participants from dozens of countries. The IT Army focused primarily on large-scale distributed denial-of-service (DDoS) attacks against Russian government websites, financial services, transportation systems, and media outlets.
Where the Cyber Partisans operate as a small, clandestine cell focused on penetration and intelligence extraction, Ukraine’s IT Army functions as a mass-participation, decentralized strike force optimized for volume and disruption. The two models represent different positions on the spectrum of cyber capabilities available to resistance movements. The Belarusian approach prioritizes operational security, target selection, and sustained access. The Ukrainian approach leverages scale, speed, and the willingness of an international volunteer network to absorb the coordination costs of mass cyber operations.
Ukraine’s broader digital resistance extends well beyond the IT Army. Civilian intelligence collection via smartphone apps, social media documentation of war crimes for future legal proceedings, and the integration of open-source intelligence into military targeting have all become features of what military analysts at the Royal United Services Institute (RUSI) describe as the most digitally enabled conflict in history. The multi-domain character of the Ukraine conflict has made digital resistance not a supplement to physical warfare but a coequal domain of operations.
The Wider Landscape of Digital Sabotage
The Belarusian and Ukrainian cases are the most prominent, but digital sabotage by resistance movements is expanding globally. In Myanmar, resistance networks have used digital tools for secure communications, intelligence sharing, and coordination of operations against the military junta since the 2021 coup. The ghost union model that emerged in Belarus, where workers organized clandestine labor actions through encrypted digital channels, has influenced organizing tactics in other authoritarian environments.
The historical lineage of digital sabotage connects to the broader tradition documented in the history of sabotage. The OSS Simple Sabotage Field Manual of 1944 prescribed methods for disrupting enemy infrastructure through minimal, deniable actions by ordinary workers. The Cyber Partisans’ disruption of Belarusian Railways represents a direct conceptual descendant of that tradition: targeted disruption of logistics infrastructure by non-military actors using the tools available to them. The shift from wrenches to keyboards does not change the underlying strategic logic. OSS: Combined & Remastered, available from The Distillery Press, reproduces the original wartime manuals that established the doctrinal foundation for sabotage operations.
State Responses and the Authoritarian Counter
Authoritarian regimes have not been passive targets. Belarus has expanded its cybercrime legislation, designated the Cyber Partisans as terrorists, and increased KGB surveillance of digital communications. The regime requires internet service providers to install monitoring equipment that allows real-time tracking of browsing activity and interception of communications. Activists’ devices are targeted with spyware, and independent media platforms have been systematically blocked.
Russia has invested heavily in domestic internet control infrastructure, including the “sovereign internet” law that enables authorities to isolate the Russian segment of the internet from the global network. Chinese technical assistance has reportedly strengthened both Belarusian and Russian capabilities in network monitoring and content filtering. The weaponization of information is no longer a one-sided phenomenon: states are weaponizing digital infrastructure against their own populations with increasing sophistication.
The cat-and-mouse dynamic between digital resistance movements and state surveillance apparatus is intensifying. The Cyber Partisans have responded to improved state defenses by developing tools like Partisan Telegram, a modified version of the messaging app with features designed for activist safety, including voice-changing capabilities, accidental-tap protection, and disguise features that make it resemble the standard app during device inspections. The digital security and privacy domain is becoming as central to modern resistance operations as physical security was in earlier eras.
Implications for Irregular Warfare
The rise of digital sabotage as a resistance tool has several implications for the study and practice of irregular warfare.
First, it lowers the barrier to entry for resistance operations. The Cyber Partisans achieved strategic effects, disrupting Russian military logistics during the opening phase of a major war, with fewer than 20 active members and no physical weapons. This represents a force-multiplication ratio that no historical guerrilla movement has matched. The Distillery Press publication Resistance and the Cyber Domain explores how digital capabilities are reshaping the operational calculus for resistance movements.
Second, it creates new vulnerabilities for authoritarian states. Regimes that depend on centralized digital systems for surveillance, logistics, and communications expose themselves to disruption by technically skilled adversaries. The more a state digitizes its repression apparatus, the more attack surface it creates. The Cyber Partisans’ ability to suppress the KGB’s network for two months demonstrates that even a security service can become a target when its infrastructure is insufficiently hardened.
Third, digital sabotage complicates the traditional escalation dynamics of irregular conflict. A cyber operation that disrupts railway logistics occupies an ambiguous space in the spectrum of violence. It causes operational damage without casualties, making it difficult for the targeted state to justify kinetic retaliation without appearing disproportionate. This gray-zone characteristic is precisely what makes digital sabotage attractive to resistance movements operating in environments where armed conflict would be suicidal. The broader pattern mirrors the gray-zone dynamics visible across contemporary hybrid conflicts.
Lukashenko himself has acknowledged the threat in characteristically blunt terms, telling his ministers that he is “more scared of cyber weapons than nuclear weapons.” Whether or not the Cyber Partisans can ultimately contribute to political change in Belarus remains uncertain. But the operational model they have pioneered, a small, technically skilled, politically motivated resistance cell conducting sustained cyber operations against a state security apparatus, represents a template that will be replicated. Masters of Resistance provides the historical framework for understanding how resistance movements adapt new technologies to enduring strategic objectives.
