Feeds

To Russia with Love? Georgia snaps 'cyber-spy' with his own cam

Govt puts pics on internet - not much else they can do

Providing a secure and efficient Helpdesk

Georgia has taken the unusual step of publishing photos of a man it suspects of being the hacker who has been attacking the former Soviet Republic's systems for months.

Photos of the alleged cyber-spy were captured after Georgia security experts set up a honeypot sting, tricking the person they believed to be the hacker into downloading what spoofed "sensitive information" before capturing the man's image using his own web cam.

The Register notes that the man pictured has not been charged with any crime, nor has he been proven to be involved in any hack attacks.

Investigators from the Georgian government's Computer Emergency Response Team (Cert.gov.ge) took the highly unusual step of publishing two photos of the man they suspect of being a cyber-spy in the government's official cybersecurity report (PDF). The series of malware-based attacks targeting Georgia government agencies and banks began around March 2011, the same time security analysts at the Georgian CERT launched an investigation.

The attacker(s) planted malicious code on various Georgian news sites but only inserted into stories featuring headlines involving US-Georgia relations and NATO, subjects likely to be of interest to his target audience. The tactic was used to seed infections associated with the Georbot information-stealing zombie network. Georbot managed to infect between 300 to 400 computer in Georgian government agencies alone.

Connections to the command and control server associated with the Georbot zombie network were blocked. In response, the hacker/s launched a further wave of attacks featuring emails featuring malicious attachments posing as PDF files, again designed to siphon off potentially interesting files from compromised Windows computers. The PDF attack was unusually sophisticated because it featured abuse of the XDP file format, a tactic that circumvented anti-virus defences for some months before security experts latched onto the trick, IT World reports.

The use of the tactic is clear evidence that the Georgians weren't dealing with a common-or-garden script-kiddies but a cadre of sophisticated hackers located in both Russia and, evidence suggested, Germany.

Georgian security experts launched a counter-offensive by deliberately allowing a machine to become infected. This computer contained an infected ZIP file, called "Georgian-Nato Agreement". An attack purportedly from the Russian suspect siphoned off this file, just as investigators hoped, before the hacker made the mistake of attempting to open it and view its contents, infecting his computer and opening a backdoor in the process.

Investigators were able to use their malware to capture the presumed perp's image. The attack also allowed them to root around his machine for sensitive documents. The Georgians claimed that one Word file they had siphoned off contained instructions on who to target and how to hack into targets in Russia, IT World adds.

The alleged perp, who was named only by his online nickname Eshkinot, is unlikely to have acted alone. Georgian authorities allege that Russian intelligence agencies are mixed up in an ongoing cyber-espionage operation, citing intelligence obtained from their counter offensive (including data from Georbot C&C systems, decrypted communication mechanisms and malicious files) as evidence. Nonetheless the allegation remains unproven.

The Georgian CERT paper concludes: "Advanced malicious software was collecting sensitive, confidential information about Georgian and American security documents and then uploading it to some of command and control Servers (which change[d] often upon detection).

"After investigating attackers' servers and malicious files, we have linked this cyber attack to Russian official security agencies."

The best evidence for this assertion is that a domain associated with the Russian Ministry of Internal Affairs, Department of Logistics, in Moscow was the source of spam emails bearing infectious PDF files spoofed to appear to come from admin@President.gov.ge”, an address ostensibly associated with the Georgian president. This is a bit circumstantial since it doesn't rule out the abuse of open relays at the Russian ministry to send "perfectly spoofed" spam or other trickery along these lines.

The Georgians also concluded that the IP and DNS servers used to control infected Georgian computers belonged to the Russian Business Network, better evidence but still not conclusive.

Motives for a Russian attack on the Georgian government are not hard to guess while it's far more difficult to imagine why anyone else would want to get involved.

Relations between Russia and Georgia remain poor four years after a dispute about the separatist ambitions of South Ossetia and Abkhazia led to an armed conflict between Georgia and Russia in August 2008. Diplomatic relations have been severed since so the chance of any prosecution of the alleged Russian hacker for attack on Georgia are extremely low. The 2008 conflict on the ground was accompanied by a side-show in cyberspace, featuring denial of service attacks and websites defacements targeting news outlets and government agencies on both side of the conflict, as summarised by Arbor Networks here. Most of these information warfare attacks were aimed at planting propaganda, in one way or another. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.