Attacks/Breaches
10/31/2012
04:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Say 'Cheese': Georgian Nation Makes Offense Its Defense

Georgia's CERT tricks alleged Russian hacker with phony file, records him via his computer, and ID's him

Calls for offensive security are all the rage these days for derailing cyberespionage, and organizations such as the nation of Georgia's Computer Emergency Response Team, are aggressively embracing it: The CERT revealed in a new report that it set a trap that basically hacked an alleged cyberspy and recorded his activity via his computer's camera.

The Georgian CERT, while investigating a widespread cyberspying campaign against its ministries, parliament, critical infrastructure organizations, banks, and non-government organizations during 2011 and 2012, planted a malware-rigged ZIP file on one of its lab PCs with the juicy name "Georgian-Nato Agreement." The hacker ultimately grabbed the file and opened it, which ran malware that unbeknownst to him gave the CERT control over his machine.

The video surveillance and access to his machine provided the CERT with evidence, it says, that ties him to German and Russian hackers. The CERT also pinpointed the city where he's based, his ISP, his email, and other incriminating information. "Then captured got video of him, personally. We have captured process of creating new malicious modules. We have Obtained Russian Document, from email, where he was giving someone instructions how to use this malicious software and how to infect targets," the report says.

Whether ID'ing the alleged hacker will have any impact is unclear, but the Georgian CERT's actions represent what security experts consider the extreme in offensive security, hacking back. Most experts don't recommend that tack, mainly since it enters murky legal waters.

[How naming names of hackers and pinpointing the beneficiaries of cyberspying and cybercrime attacks translate into a new kind of defense. See Turning Tables: ID'ing The Hacker Behind The Keyboard. ]

Dmitri Alperovitch, co-founder and CTO of CrowdStrike, pans hacking back as illegal. But there are situations where victims in the private sector could be covered by common law to defend their property – or data -- by stealing it back. "The private sector has the authority under limited circumstances to go into that serer and get their data back," Alperovitch says.

But that's only if the FBI or other authorities are unwilling or unable to step in, he says. There is no precedent here, however, he says, so there's no way to know how the courts would rule on the legalities of taking back stolen data. "You could only access your data, and would have no authority to destroy that [the attacker's] server or take any other action, we believe," he says.

The Georgian CERT says it infiltrated the mini-botnet, including the command-and-control servers, used to hack into its interests. There were 390 infected machines, 70 percent of which were in Georgia, 5 percent in the U.S., 4 percent in Canada, Ukraine, France, and China, 3 percent in Germany, and 3 percent in Russia.

The CERT blocked the six C&C IP addresses and alerted the infected organizations and helped them clean up their infections. It also "cooperated with" the FBI, U.S. Department of Homeland Security, U.S. Secret Service, other law enforcement, US-CERT, Governmental-CERT-Germany, CERT-Ukraine, CERT-Polska, and Microsoft's Cybersecurity Division in the investigation as well as providing information to security companies for blacklisting purposes.

According to the CERT's report, the CERT discovered evidence that indicated that the hacker was tied to official Russian state organizations – specifically, Warynews.ru , the site that controlled infected Georgian computers; IP and DNS servers that belong to the Russian Business Network, and www.rbc.ru, which was included in the malware code itself.

Graham Cluley, senior technology consultant at Sophos, says Russian authorities won't likely take any action, so even with the CERT's breadth of intelligence on the alleged attacker, it may ultimately be a dead end. "Relations between Georgia and Russia are strained at the best of times, but if this man really does have connections with the Russian secret service, it's hard to imagine that action will be taken by the Moscow authorities against him," Cluley said today in a blog post.

Stephen Cobb, security evangelist of ESET, says the Georgian CERT's tactic could act as a deterrent. "It can be hard for cross-border law enforcement efforts to produce convictions, but putting faces on watch lists and wanted lists can crimp the travel plans of bad guys and make their lives a little less comfortable," Cobb says.

And even if this particular hacker is blacklisted in his own nation, like any persistent attacker, there will be others to take his place. But knocking these attackers "off the battlefield" is still a key strategy, CrowdStrike's Alperovitch says. "If you look at the really good ones ... they have a few hundred or a few thousand of them. Taking [some of] them off the battlefield, even though they are massive organizations, would still have a huge impact."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mday55401
50%
50%
mday55401,
User Rank: Apprentice
11/20/2012 | 6:01:58 PM
re: Say 'Cheese': Georgian Nation Makes Offense Its Defense
I wouldn't do it myself, but it's hard to blame anyone but the hacker who got hacked himself. They who live by the sword shall die by the sword.
PJS880
50%
50%
PJS880,
User Rank: Apprentice
11/5/2012 | 3:32:37 PM
re: Say 'Cheese': Georgian Nation Makes Offense Its Defense





Sounds
like a great offensive and strategy to gain back your companies
stolen data. Does sound a bit sketchy when discussing the legality of
it, but is it stealing if it is already yours? When does the company
draw the line? What happens when you get the angry IT security guy
who wants to teach the hacker a lesson, and goes to far? If security
is an issue and it is that severe of a threat then maybe I would
invest in other options for information security. So am I
understanding this correctly CERT only intervene after an issue or
data has been stolen or are they making moves based upon who they
believe to be threats. If they do not wait, then what difference are
they compared to the hackers they are seeking out?

Paul
Sprague

InformationWeek
Contributor
-

Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web