Counterattack! Suspected hacker caught on HIS WEBCAM, while spying on Georgia

Filed Under: Botnet, Data loss, Featured, Law & order, Malware, Vulnerability

Suspected hackerThe country of Georgia has long blamed hackers based in Russia for attacks upon its computer networks, injecting malicious code into websites, and planting spyware to steal classified information.

Now the Georgian government's CERT (Computer Emergency Response Team) claims it has linked an internet attack to Russia's security services, and even turned the tables on a hacker it believes was involved by secretly taking over his computer and taking video footage of him.

In a 27 page report [PDF], the Georgian government explains how in early 2011 Georgian news websites were hacked in order to exploit vulnerabilities, and spread malware that hijacked infected computers and searched for sensitive documents.

GeorgiaIn addition to stealing Word documents, the malware could take screenshots and was later enhanced to spread via networks and eavesdrop on conversations via infected PCs' webcams.

According to the CERT-Georgia report, an analysis of the attack's command-and-control center revealed that at least 390 computers were infected in the attack. 70% of compromised PCs were based in Georgia, with other victims found in the USA, Canada, Ukraine, France, China, Germany and Russia.

Computers hit in Georgia were predominantly based in government agencies, banks and critical infrastructure the report claims.

Georgian officials lay a trap

Georgia's CERT deliberately infected one of its own PCs with the malware, and planted a ZIP file named "Georgian-Nato Agreement" on its drive, hoping it would prove irresistible for the hacker.

Sure enough the hacker stole the archive file and ran malware that Georgia CERT had planted inside, meaning that now investigators had control over the hacker's own computer.

This made it relative child's play to capture images of the suspect at work in front of his PC.

Photos of suspected hacker

I bet he's regretting not covering up his webcam now.

Aside from capturing video footage of the alleged hacker, the CERT researchers claim that they also found a Russian email conversation on the suspect's computer in which he gives instruction on how to use his malware and infect targets. Furthermore, the suspected hacker's city, ISP, email address and other information were also acquired.

Curiously, a domain used by the attackers was registered to an address in Moscow belonging to the Russian Ministry of Internal Affairs, department of logistics - which just happens to be based close to the Russian Secret Service (FSB).

Address in Moscow

Furthermore, according to CERT-Georgia, websites used to control the infected Georgian computers have links with RBN, the notorious Russian Business Network.

Will this hacker ever be brought to justice?

Even though it appears that the Georgian authorities have gathered a lot of information about a man they strongly suspect of involvement in the attacks, it wouldn't be a surprise if the authorities in Moscow turn a blind eye.

Relations between Georgia and Russia are strained at the best of times, but if this man really does have connections with the Russian secret service, it's hard to imagine that action will be taken by the Moscow authorities against him.

You can download the full report from the Georgian investigators here [PDF].

, , , , , , , ,

You might like

10 Responses to Counterattack! Suspected hacker caught on HIS WEBCAM, while spying on Georgia

  1. Freida Gray · 539 days ago

    Like the new style for articles.

  2. Neddy · 538 days ago

    Hmmm... I'm surprised he didn't notice the light come on.
    Or he might have been Skyping and the authorities tapped into his webcam feed.

    • blake · 538 days ago

      I'm surpirsed he wasn't running any security software... ;)

  3. blake · 538 days ago

    Who knew? Borat's a hacker...

  4. blake · 538 days ago

    "Even though it appears that the Georgian authorities have gathered a lot of information about a man they strongly suspect of involvement in the attacks, it wouldn't be a surprise if the authorities in Moscow turn a blind eye."

    - plus the fact that the method of aquiring the information was probably illegal, surely?

  5. Jack · 538 days ago

    Some places don't care about how the information was acquired, you're only talking about countries that have some kind of feelings for the citizens.

    If you grab the correct item in the drivers you can bypass the led turn on, so that's not a big deal, besides he probably didn't think anyone could find him. If he is part of the security people, I'm sure he's protected from going to Georgia, but not from his own people!

    • Jeremias · 538 days ago

      Most cams had the light embedded in hardware, that turns light on when power is up

  6. Doodle · 538 days ago

    Wouldn't this be a kick in the pants. Someone hacks your system, steels a file from your machine, and then sues you for putting malware on their machine and spying on them.
    I'm sure the CERT/Georgian Government acquired the appropriate warrants/permission to perform this action. And if they didn't, then they should be printing that paperwork up today (post dated of course).

  7. Ben · 538 days ago

    "Wouldn't this be a kick in the pants. Someone hacks your system, steels a file from your machine, and then sues you for putting malware on their machine and spying on them. "

    Sounds so typical though...

    BB http://www.linkedin.com/in/bwrsbn

  8. Randy · 536 days ago

    Maybe the hacker will be punished for getting caught.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.