To Russia with Love? Georgia snaps 'cyber-spy' with his own cam

Georgia has taken the unusual step of publishing photos of a man it suspects of being the hacker who has been attacking the former Soviet Republic's systems for months.

Photos of the alleged cyber-spy were captured after Georgia security experts set up a honeypot sting, tricking the person they believed to be the hacker into downloading what spoofed "sensitive information" before capturing the man's image using his own web cam.

The Register notes that the man pictured has not been charged with any crime, nor has he been proven to be involved in any hack attacks.

Investigators from the Georgian government's Computer Emergency Response Team (Cert.gov.ge) took the highly unusual step of publishing two photos of the man they suspect of being a cyber-spy in the government's official cybersecurity report (PDF). The series of malware-based attacks targeting Georgia government agencies and banks began around March 2011, the same time security analysts at the Georgian CERT launched an investigation.

The attacker(s) planted malicious code on various Georgian news sites but only inserted into stories featuring headlines involving US-Georgia relations and NATO, subjects likely to be of interest to his target audience. The tactic was used to seed infections associated with the Georbot information-stealing zombie network. Georbot managed to infect between 300 to 400 computer in Georgian government agencies alone.

Connections to the command and control server associated with the Georbot zombie network were blocked. In response, the hacker/s launched a further wave of attacks featuring emails featuring malicious attachments posing as PDF files, again designed to siphon off potentially interesting files from compromised Windows computers. The PDF attack was unusually sophisticated because it featured abuse of the XDP file format, a tactic that circumvented anti-virus defences for some months before security experts latched onto the trick, IT World reports.

The use of the tactic is clear evidence that the Georgians weren't dealing with a common-or-garden script-kiddies but a cadre of sophisticated hackers located in both Russia and, evidence suggested, Germany.

Georgian security experts launched a counter-offensive by deliberately allowing a machine to become infected. This computer contained an infected ZIP file, called "Georgian-Nato Agreement". An attack purportedly from the Russian suspect siphoned off this file, just as investigators hoped, before the hacker made the mistake of attempting to open it and view its contents, infecting his computer and opening a backdoor in the process.

Investigators were able to use their malware to capture the presumed perp's image. The attack also allowed them to root around his machine for sensitive documents. The Georgians claimed that one Word file they had siphoned off contained instructions on who to target and how to hack into targets in Russia, IT World adds.

The alleged perp, who was named only by his online nickname Eshkinot, is unlikely to have acted alone. Georgian authorities allege that Russian intelligence agencies are mixed up in an ongoing cyber-espionage operation, citing intelligence obtained from their counter offensive (including data from Georbot C&C systems, decrypted communication mechanisms and malicious files) as evidence. Nonetheless the allegation remains unproven.

The Georgian CERT paper concludes: "Advanced malicious software was collecting sensitive, confidential information about Georgian and American security documents and then uploading it to some of command and control Servers (which change[d] often upon detection).

"After investigating attackers' servers and malicious files, we have linked this cyber attack to Russian official security agencies."

The best evidence for this assertion is that a domain associated with the Russian Ministry of Internal Affairs, Department of Logistics, in Moscow was the source of spam emails bearing infectious PDF files spoofed to appear to come from admin@President.gov.ge”, an address ostensibly associated with the Georgian president. This is a bit circumstantial since it doesn't rule out the abuse of open relays at the Russian ministry to send "perfectly spoofed" spam or other trickery along these lines.

The Georgians also concluded that the IP and DNS servers used to control infected Georgian computers belonged to the Russian Business Network, better evidence but still not conclusive.

Motives for a Russian attack on the Georgian government are not hard to guess while it's far more difficult to imagine why anyone else would want to get involved.

Relations between Russia and Georgia remain poor four years after a dispute about the separatist ambitions of South Ossetia and Abkhazia led to an armed conflict between Georgia and Russia in August 2008. Diplomatic relations have been severed since so the chance of any prosecution of the alleged Russian hacker for attack on Georgia are extremely low. The 2008 conflict on the ground was accompanied by a side-show in cyberspace, featuring denial of service attacks and websites defacements targeting news outlets and government agencies on both side of the conflict, as summarised by Arbor Networks here. Most of these information warfare attacks were aimed at planting propaganda, in one way or another. ®