Georgian cyber counterattack exposes Russian hacker seeking NATO document

Photo of alleged cyber-attacker according to Georgian security experts

From Jeremy Kirk, IDG News Service:  In an unprecedented move, the country of Georgia — irritated by persistent cyber-spying attacks — has published two photos of a Russia-based hacker who, the Georgians allege, waged a persistent, months-long campaign that stole confidential information from Georgian government ministries, parliament, banks and NGOs.

The photos are contained in a report that alleges the intrusions originated from Russia, which launched a five-day military campaign in August 2008 against Georgia that was preceded by a wave cyberattacks.

The photos of the hacker were taken after investigators with the Georgian government’s Computer Emergency Response Team ( managed to bait him into downloading what he thought was a file containing sensitive information. In fact, it contained its own secret spying program.

The hacker had been tricked and hacked, with his mugshot taken from his own webcam. . . .

The agency quickly discovered that 300 to 400 computers located in key government agencies were infected and transmitting sensitive documents to drop servers controlled by the hacker. The compromised computers formed a botnet nicknamed "Georbot."

The malicious software was programmed to search for specific keywords — such as USA, Russia, NATO and CIA — in Microsoft Word documents and PDFs, and was eventually modified to record audio and take screenshots. The documents were deleted within a few minutes from the drop servers, after the hacker had copied the files to his own PC. . . .

Throughout 2011, the attacks continued and became more sophisticated. Investigators found the hacker was connected with at least two other Russian hackers as well as a German one. He was also active on some cryptography forums. Those clues, along with some weak security practices, allowed investigators to get closer to him.

Then, an irresistible trap was set.

They allowed the hacker to infect one of their computers on purpose. On that computer, they placed a ZIP archive entitled "Georgian-Nato Agreement." He took the bait, which caused the investigators’ own spying program to be installed.

From there, his webcam was turned on, which resulted in fairly clear photos of his face. But after five to 10 minutes, the connection was cut off, presumably because the hacker knew he had been hacked. But in those few minutes, his computer — like the ones he targeted in the Georgian government — was mined for documents.

One Microsoft Word document, written in Russian, contained instructions from the hacker’s handler over which targets to infect and how. Other circumstantial evidence pointing to Russian involvement included the registration of a website that was used to send malicious emails. It was registered to an address next to the country’s Federal Security Service, formerly known as the KGB, the report said.

"We have identified Russian security agencies, once again," it concludes.

From Infosecurity:  Georgia worked with the FBI, Department of Homeland Security, US Secret Service, US-CERT, Governmental-CERT-Germany, CERT-Ukraine, CERT-Polska, the Microsoft Cybersecurity Division and various law-enforcement agencies to obtain log files and system images for forensic analysis. . . .

In all, CERT-Georgia found 390 infected computers, suggesting that the keyword-based news targeting was effective. About 70% of them were in Georgia, 5% in the US, and the rest scattered globally.  (photo: Daily Mail)

Image: daily%20mail%2011%204%2012%20Russia%20Georgia%20cyber.jpg