The country of Georgia has long blamed hackers based in Russia for attacks upon its computer networks, injecting malicious code into websites, and planting spyware to steal classified information.
Now the Georgian government’s CERT (Computer Emergency Response Team) claims it has linked an internet attack to Russia’s security services, and even turned the tables on a hacker it believes was involved by secretly taking over his computer and taking video footage of him.
In a 27 page report [PDF], the Georgian government explains how in early 2011 Georgian news websites were hacked in order to exploit vulnerabilities, and spread malware that hijacked infected computers and searched for sensitive documents.
In addition to stealing Word documents, the malware could take screenshots and was later enhanced to spread via networks and eavesdrop on conversations via infected PCs’ webcams.
According to the CERT-Georgia report, an analysis of the attack’s command-and-control center revealed that at least 390 computers were infected in the attack. 70% of compromised PCs were based in Georgia, with other victims found in the USA, Canada, Ukraine, France, China, Germany and Russia.
Computers hit in Georgia were predominantly based in government agencies, banks and critical infrastructure the report claims.
Georgian officials lay a trap
Georgia’s CERT deliberately infected one of its own PCs with the malware, and planted a ZIP file named “Georgian-Nato Agreement” on its drive, hoping it would prove irresistible for the hacker.
Sure enough the hacker stole the archive file and ran malware that Georgia CERT had planted inside, meaning that now investigators had control over the hacker’s own computer.
This made it relative child’s play to capture images of the suspect at work in front of his PC.
I bet he’s regretting not covering up his webcam now.
Aside from capturing video footage of the alleged hacker, the CERT researchers claim that they also found a Russian email conversation on the suspect’s computer in which he gives instruction on how to use his malware and infect targets. Furthermore, the suspected hacker’s city, ISP, email address and other information were also acquired.
Curiously, a domain used by the attackers was registered to an address in Moscow belonging to the Russian Ministry of Internal Affairs, department of logistics – which just happens to be based close to the Russian Secret Service (FSB).
Furthermore, according to CERT-Georgia, websites used to control the infected Georgian computers have links with RBN, the notorious Russian Business Network.
Will this hacker ever be brought to justice?
Even though it appears that the Georgian authorities have gathered a lot of information about a man they strongly suspect of involvement in the attacks, it wouldn’t be a surprise if the authorities in Moscow turn a blind eye.
Relations between Georgia and Russia are strained at the best of times, but if this man really does have connections with the Russian secret service, it’s hard to imagine that action will be taken by the Moscow authorities against him.
You can download the full report from the Georgian investigators here [PDF].
10 comments on “Counterattack! Suspected hacker caught on HIS WEBCAM, while spying on Georgia”
Like the new style for articles.
Hmmm… I'm surprised he didn't notice the light come on.
Or he might have been Skyping and the authorities tapped into his webcam feed.
I'm surpirsed he wasn't running any security software… 😉
Who knew? Borat's a hacker…
"Even though it appears that the Georgian authorities have gathered a lot of information about a man they strongly suspect of involvement in the attacks, it wouldn't be a surprise if the authorities in Moscow turn a blind eye."
– plus the fact that the method of aquiring the information was probably illegal, surely?
Some places don't care about how the information was acquired, you're only talking about countries that have some kind of feelings for the citizens.
If you grab the correct item in the drivers you can bypass the led turn on, so that's not a big deal, besides he probably didn't think anyone could find him. If he is part of the security people, I'm sure he's protected from going to Georgia, but not from his own people!
Most cams had the light embedded in hardware, that turns light on when power is up
Wouldn't this be a kick in the pants. Someone hacks your system, steels a file from your machine, and then sues you for putting malware on their machine and spying on them.
I'm sure the CERT/Georgian Government acquired the appropriate warrants/permission to perform this action. And if they didn't, then they should be printing that paperwork up today (post dated of course).
"Wouldn't this be a kick in the pants. Someone hacks your system, steels a file from your machine, and then sues you for putting malware on their machine and spying on them. "
Sounds so typical though…
Maybe the hacker will be punished for getting caught.