Feeds

To Russia with Love? Georgia snaps 'cyber-spy' with his own cam

Govt puts pics on internet - not much else they can do

Seven Steps to Software Security

Georgia has taken the unusual step of publishing photos of a man it suspects of being the hacker who has been attacking the former Soviet Republic's systems for months.

Photos of the alleged cyber-spy were captured after Georgia security experts set up a honeypot sting, tricking the person they believed to be the hacker into downloading what spoofed "sensitive information" before capturing the man's image using his own web cam.

The Register notes that the man pictured has not been charged with any crime, nor has he been proven to be involved in any hack attacks.

Investigators from the Georgian government's Computer Emergency Response Team (Cert.gov.ge) took the highly unusual step of publishing two photos of the man they suspect of being a cyber-spy in the government's official cybersecurity report (PDF). The series of malware-based attacks targeting Georgia government agencies and banks began around March 2011, the same time security analysts at the Georgian CERT launched an investigation.

The attacker(s) planted malicious code on various Georgian news sites but only inserted into stories featuring headlines involving US-Georgia relations and NATO, subjects likely to be of interest to his target audience. The tactic was used to seed infections associated with the Georbot information-stealing zombie network. Georbot managed to infect between 300 to 400 computer in Georgian government agencies alone.

Connections to the command and control server associated with the Georbot zombie network were blocked. In response, the hacker/s launched a further wave of attacks featuring emails featuring malicious attachments posing as PDF files, again designed to siphon off potentially interesting files from compromised Windows computers. The PDF attack was unusually sophisticated because it featured abuse of the XDP file format, a tactic that circumvented anti-virus defences for some months before security experts latched onto the trick, IT World reports.

The use of the tactic is clear evidence that the Georgians weren't dealing with a common-or-garden script-kiddies but a cadre of sophisticated hackers located in both Russia and, evidence suggested, Germany.

Georgian security experts launched a counter-offensive by deliberately allowing a machine to become infected. This computer contained an infected ZIP file, called "Georgian-Nato Agreement". An attack purportedly from the Russian suspect siphoned off this file, just as investigators hoped, before the hacker made the mistake of attempting to open it and view its contents, infecting his computer and opening a backdoor in the process.

Investigators were able to use their malware to capture the presumed perp's image. The attack also allowed them to root around his machine for sensitive documents. The Georgians claimed that one Word file they had siphoned off contained instructions on who to target and how to hack into targets in Russia, IT World adds.

The alleged perp, who was named only by his online nickname Eshkinot, is unlikely to have acted alone. Georgian authorities allege that Russian intelligence agencies are mixed up in an ongoing cyber-espionage operation, citing intelligence obtained from their counter offensive (including data from Georbot C&C systems, decrypted communication mechanisms and malicious files) as evidence. Nonetheless the allegation remains unproven.

The Georgian CERT paper concludes: "Advanced malicious software was collecting sensitive, confidential information about Georgian and American security documents and then uploading it to some of command and control Servers (which change[d] often upon detection).

"After investigating attackers' servers and malicious files, we have linked this cyber attack to Russian official security agencies."

The best evidence for this assertion is that a domain associated with the Russian Ministry of Internal Affairs, Department of Logistics, in Moscow was the source of spam emails bearing infectious PDF files spoofed to appear to come from admin@President.gov.ge”, an address ostensibly associated with the Georgian president. This is a bit circumstantial since it doesn't rule out the abuse of open relays at the Russian ministry to send "perfectly spoofed" spam or other trickery along these lines.

The Georgians also concluded that the IP and DNS servers used to control infected Georgian computers belonged to the Russian Business Network, better evidence but still not conclusive.

Motives for a Russian attack on the Georgian government are not hard to guess while it's far more difficult to imagine why anyone else would want to get involved.

Relations between Russia and Georgia remain poor four years after a dispute about the separatist ambitions of South Ossetia and Abkhazia led to an armed conflict between Georgia and Russia in August 2008. Diplomatic relations have been severed since so the chance of any prosecution of the alleged Russian hacker for attack on Georgia are extremely low. The 2008 conflict on the ground was accompanied by a side-show in cyberspace, featuring denial of service attacks and websites defacements targeting news outlets and government agencies on both side of the conflict, as summarised by Arbor Networks here. Most of these information warfare attacks were aimed at planting propaganda, in one way or another. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.