The country of Georgia has long blamed hackers based in Russia for attacks upon its computer networks, injecting malicious code into websites, and planting spyware to steal classified information.
Now the Georgian government’s CERT (Computer Emergency Response Team) claims it has linked an internet attack to Russia’s security services, and even turned the tables on a hacker it believes was involved by secretly taking over his computer and taking video footage of him.
In a 27 page report [PDF], the Georgian government explains how in early 2011 Georgian news websites were hacked in order to exploit vulnerabilities, and spread malware that hijacked infected computers and searched for sensitive documents.
In addition to stealing Word documents, the malware could take screenshots and was later enhanced to spread via networks and eavesdrop on conversations via infected PCs’ webcams.
According to the CERT-Georgia report, an analysis of the attack’s command-and-control center revealed that at least 390 computers were infected in the attack. 70% of compromised PCs were based in Georgia, with other victims found in the USA, Canada, Ukraine, France, China, Germany and Russia.
Computers hit in Georgia were predominantly based in government agencies, banks and critical infrastructure the report claims.
Georgian officials lay a trap
Georgia’s CERT deliberately infected one of its own PCs with the malware, and planted a ZIP file named “Georgian-Nato Agreement” on its drive, hoping it would prove irresistible for the hacker.
Sure enough the hacker stole the archive file and ran malware that Georgia CERT had planted inside, meaning that now investigators had control over the hacker’s own computer.
This made it relative child’s play to capture images of the suspect at work in front of his PC.
I bet he’s regretting not covering up his webcam now.
Aside from capturing video footage of the alleged hacker, the CERT researchers claim that they also found a Russian email conversation on the suspect’s computer in which he gives instruction on how to use his malware and infect targets. Furthermore, the suspected hacker’s city, ISP, email address and other information were also acquired.
Curiously, a domain used by the attackers was registered to an address in Moscow belonging to the Russian Ministry of Internal Affairs, department of logistics – which just happens to be based close to the Russian Secret Service (FSB).
Furthermore, according to CERT-Georgia, websites used to control the infected Georgian computers have links with RBN, the notorious Russian Business Network.
Will this hacker ever be brought to justice?
Even though it appears that the Georgian authorities have gathered a lot of information about a man they strongly suspect of involvement in the attacks, it wouldn’t be a surprise if the authorities in Moscow turn a blind eye.
Relations between Georgia and Russia are strained at the best of times, but if this man really does have connections with the Russian secret service, it’s hard to imagine that action will be taken by the Moscow authorities against him.
You can download the full report from the Georgian investigators here [PDF].Follow @gcluley