Attacks/Breaches
10/31/2012
04:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Say 'Cheese': Georgian Nation Makes Offense Its Defense

Georgia's CERT tricks alleged Russian hacker with phony file, records him via his computer, and ID's him

Calls for offensive security are all the rage these days for derailing cyberespionage, and organizations such as the nation of Georgia's Computer Emergency Response Team, are aggressively embracing it: The CERT revealed in a new report that it set a trap that basically hacked an alleged cyberspy and recorded his activity via his computer's camera.

The Georgian CERT, while investigating a widespread cyberspying campaign against its ministries, parliament, critical infrastructure organizations, banks, and non-government organizations during 2011 and 2012, planted a malware-rigged ZIP file on one of its lab PCs with the juicy name "Georgian-Nato Agreement." The hacker ultimately grabbed the file and opened it, which ran malware that unbeknownst to him gave the CERT control over his machine.

The video surveillance and access to his machine provided the CERT with evidence, it says, that ties him to German and Russian hackers. The CERT also pinpointed the city where he's based, his ISP, his email, and other incriminating information. "Then captured got video of him, personally. We have captured process of creating new malicious modules. We have Obtained Russian Document, from email, where he was giving someone instructions how to use this malicious software and how to infect targets," the report says.

Whether ID'ing the alleged hacker will have any impact is unclear, but the Georgian CERT's actions represent what security experts consider the extreme in offensive security, hacking back. Most experts don't recommend that tack, mainly since it enters murky legal waters.

[How naming names of hackers and pinpointing the beneficiaries of cyberspying and cybercrime attacks translate into a new kind of defense. See Turning Tables: ID'ing The Hacker Behind The Keyboard. ]

Dmitri Alperovitch, co-founder and CTO of CrowdStrike, pans hacking back as illegal. But there are situations where victims in the private sector could be covered by common law to defend their property – or data -- by stealing it back. "The private sector has the authority under limited circumstances to go into that serer and get their data back," Alperovitch says.

But that's only if the FBI or other authorities are unwilling or unable to step in, he says. There is no precedent here, however, he says, so there's no way to know how the courts would rule on the legalities of taking back stolen data. "You could only access your data, and would have no authority to destroy that [the attacker's] server or take any other action, we believe," he says.

The Georgian CERT says it infiltrated the mini-botnet, including the command-and-control servers, used to hack into its interests. There were 390 infected machines, 70 percent of which were in Georgia, 5 percent in the U.S., 4 percent in Canada, Ukraine, France, and China, 3 percent in Germany, and 3 percent in Russia.

The CERT blocked the six C&C IP addresses and alerted the infected organizations and helped them clean up their infections. It also "cooperated with" the FBI, U.S. Department of Homeland Security, U.S. Secret Service, other law enforcement, US-CERT, Governmental-CERT-Germany, CERT-Ukraine, CERT-Polska, and Microsoft's Cybersecurity Division in the investigation as well as providing information to security companies for blacklisting purposes.

According to the CERT's report, the CERT discovered evidence that indicated that the hacker was tied to official Russian state organizations – specifically, Warynews.ru , the site that controlled infected Georgian computers; IP and DNS servers that belong to the Russian Business Network, and www.rbc.ru, which was included in the malware code itself.

Graham Cluley, senior technology consultant at Sophos, says Russian authorities won't likely take any action, so even with the CERT's breadth of intelligence on the alleged attacker, it may ultimately be a dead end. "Relations between Georgia and Russia are strained at the best of times, but if this man really does have connections with the Russian secret service, it's hard to imagine that action will be taken by the Moscow authorities against him," Cluley said today in a blog post.

Stephen Cobb, security evangelist of ESET, says the Georgian CERT's tactic could act as a deterrent. "It can be hard for cross-border law enforcement efforts to produce convictions, but putting faces on watch lists and wanted lists can crimp the travel plans of bad guys and make their lives a little less comfortable," Cobb says.

And even if this particular hacker is blacklisted in his own nation, like any persistent attacker, there will be others to take his place. But knocking these attackers "off the battlefield" is still a key strategy, CrowdStrike's Alperovitch says. "If you look at the really good ones ... they have a few hundred or a few thousand of them. Taking [some of] them off the battlefield, even though they are massive organizations, would still have a huge impact."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mday55401
50%
50%
mday55401,
User Rank: Apprentice
11/20/2012 | 6:01:58 PM
re: Say 'Cheese': Georgian Nation Makes Offense Its Defense
I wouldn't do it myself, but it's hard to blame anyone but the hacker who got hacked himself. They who live by the sword shall die by the sword.
PJS880
50%
50%
PJS880,
User Rank: Ninja
11/5/2012 | 3:32:37 PM
re: Say 'Cheese': Georgian Nation Makes Offense Its Defense





Sounds
like a great offensive and strategy to gain back your companies
stolen data. Does sound a bit sketchy when discussing the legality of
it, but is it stealing if it is already yours? When does the company
draw the line? What happens when you get the angry IT security guy
who wants to teach the hacker a lesson, and goes to far? If security
is an issue and it is that severe of a threat then maybe I would
invest in other options for information security. So am I
understanding this correctly CERT only intervene after an issue or
data has been stolen or are they making moves based upon who they
believe to be threats. If they do not wait, then what difference are
they compared to the hackers they are seeking out?

Paul
Sprague

InformationWeek
Contributor
-

Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.