Feeds

To Russia with Love? Georgia snaps 'cyber-spy' with his own cam

Govt puts pics on internet - not much else they can do

Protecting users from Firesheep and other Sidejacking attacks with SSL

Georgia has taken the unusual step of publishing photos of a man it suspects of being the hacker who has been attacking the former Soviet Republic's systems for months.

Photos of the alleged cyber-spy were captured after Georgia security experts set up a honeypot sting, tricking the person they believed to be the hacker into downloading what spoofed "sensitive information" before capturing the man's image using his own web cam.

The Register notes that the man pictured has not been charged with any crime, nor has he been proven to be involved in any hack attacks.

Investigators from the Georgian government's Computer Emergency Response Team (Cert.gov.ge) took the highly unusual step of publishing two photos of the man they suspect of being a cyber-spy in the government's official cybersecurity report (PDF). The series of malware-based attacks targeting Georgia government agencies and banks began around March 2011, the same time security analysts at the Georgian CERT launched an investigation.

The attacker(s) planted malicious code on various Georgian news sites but only inserted into stories featuring headlines involving US-Georgia relations and NATO, subjects likely to be of interest to his target audience. The tactic was used to seed infections associated with the Georbot information-stealing zombie network. Georbot managed to infect between 300 to 400 computer in Georgian government agencies alone.

Connections to the command and control server associated with the Georbot zombie network were blocked. In response, the hacker/s launched a further wave of attacks featuring emails featuring malicious attachments posing as PDF files, again designed to siphon off potentially interesting files from compromised Windows computers. The PDF attack was unusually sophisticated because it featured abuse of the XDP file format, a tactic that circumvented anti-virus defences for some months before security experts latched onto the trick, IT World reports.

The use of the tactic is clear evidence that the Georgians weren't dealing with a common-or-garden script-kiddies but a cadre of sophisticated hackers located in both Russia and, evidence suggested, Germany.

Georgian security experts launched a counter-offensive by deliberately allowing a machine to become infected. This computer contained an infected ZIP file, called "Georgian-Nato Agreement". An attack purportedly from the Russian suspect siphoned off this file, just as investigators hoped, before the hacker made the mistake of attempting to open it and view its contents, infecting his computer and opening a backdoor in the process.

Investigators were able to use their malware to capture the presumed perp's image. The attack also allowed them to root around his machine for sensitive documents. The Georgians claimed that one Word file they had siphoned off contained instructions on who to target and how to hack into targets in Russia, IT World adds.

The alleged perp, who was named only by his online nickname Eshkinot, is unlikely to have acted alone. Georgian authorities allege that Russian intelligence agencies are mixed up in an ongoing cyber-espionage operation, citing intelligence obtained from their counter offensive (including data from Georbot C&C systems, decrypted communication mechanisms and malicious files) as evidence. Nonetheless the allegation remains unproven.

The Georgian CERT paper concludes: "Advanced malicious software was collecting sensitive, confidential information about Georgian and American security documents and then uploading it to some of command and control Servers (which change[d] often upon detection).

"After investigating attackers' servers and malicious files, we have linked this cyber attack to Russian official security agencies."

The best evidence for this assertion is that a domain associated with the Russian Ministry of Internal Affairs, Department of Logistics, in Moscow was the source of spam emails bearing infectious PDF files spoofed to appear to come from admin@President.gov.ge”, an address ostensibly associated with the Georgian president. This is a bit circumstantial since it doesn't rule out the abuse of open relays at the Russian ministry to send "perfectly spoofed" spam or other trickery along these lines.

The Georgians also concluded that the IP and DNS servers used to control infected Georgian computers belonged to the Russian Business Network, better evidence but still not conclusive.

Motives for a Russian attack on the Georgian government are not hard to guess while it's far more difficult to imagine why anyone else would want to get involved.

Relations between Russia and Georgia remain poor four years after a dispute about the separatist ambitions of South Ossetia and Abkhazia led to an armed conflict between Georgia and Russia in August 2008. Diplomatic relations have been severed since so the chance of any prosecution of the alleged Russian hacker for attack on Georgia are extremely low. The 2008 conflict on the ground was accompanied by a side-show in cyberspace, featuring denial of service attacks and websites defacements targeting news outlets and government agencies on both side of the conflict, as summarised by Arbor Networks here. Most of these information warfare attacks were aimed at planting propaganda, in one way or another. ®

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.