Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:50 PM
Connect Directly

Say 'Cheese': Georgian Nation Makes Offense Its Defense

Georgia's CERT tricks alleged Russian hacker with phony file, records him via his computer, and ID's him

Calls for offensive security are all the rage these days for derailing cyberespionage, and organizations such as the nation of Georgia's Computer Emergency Response Team, are aggressively embracing it: The CERT revealed in a new report that it set a trap that basically hacked an alleged cyberspy and recorded his activity via his computer's camera.

The Georgian CERT, while investigating a widespread cyberspying campaign against its ministries, parliament, critical infrastructure organizations, banks, and non-government organizations during 2011 and 2012, planted a malware-rigged ZIP file on one of its lab PCs with the juicy name "Georgian-Nato Agreement." The hacker ultimately grabbed the file and opened it, which ran malware that unbeknownst to him gave the CERT control over his machine.

The video surveillance and access to his machine provided the CERT with evidence, it says, that ties him to German and Russian hackers. The CERT also pinpointed the city where he's based, his ISP, his email, and other incriminating information. "Then captured got video of him, personally. We have captured process of creating new malicious modules. We have Obtained Russian Document, from email, where he was giving someone instructions how to use this malicious software and how to infect targets," the report says.

Whether ID'ing the alleged hacker will have any impact is unclear, but the Georgian CERT's actions represent what security experts consider the extreme in offensive security, hacking back. Most experts don't recommend that tack, mainly since it enters murky legal waters.

[How naming names of hackers and pinpointing the beneficiaries of cyberspying and cybercrime attacks translate into a new kind of defense. See Turning Tables: ID'ing The Hacker Behind The Keyboard. ]

Dmitri Alperovitch, co-founder and CTO of CrowdStrike, pans hacking back as illegal. But there are situations where victims in the private sector could be covered by common law to defend their property – or data -- by stealing it back. "The private sector has the authority under limited circumstances to go into that serer and get their data back," Alperovitch says.

But that's only if the FBI or other authorities are unwilling or unable to step in, he says. There is no precedent here, however, he says, so there's no way to know how the courts would rule on the legalities of taking back stolen data. "You could only access your data, and would have no authority to destroy that [the attacker's] server or take any other action, we believe," he says.

The Georgian CERT says it infiltrated the mini-botnet, including the command-and-control servers, used to hack into its interests. There were 390 infected machines, 70 percent of which were in Georgia, 5 percent in the U.S., 4 percent in Canada, Ukraine, France, and China, 3 percent in Germany, and 3 percent in Russia.

The CERT blocked the six C&C IP addresses and alerted the infected organizations and helped them clean up their infections. It also "cooperated with" the FBI, U.S. Department of Homeland Security, U.S. Secret Service, other law enforcement, US-CERT, Governmental-CERT-Germany, CERT-Ukraine, CERT-Polska, and Microsoft's Cybersecurity Division in the investigation as well as providing information to security companies for blacklisting purposes.

According to the CERT's report, the CERT discovered evidence that indicated that the hacker was tied to official Russian state organizations – specifically, Warynews.ru , the site that controlled infected Georgian computers; IP and DNS servers that belong to the Russian Business Network, and www.rbc.ru, which was included in the malware code itself.

Graham Cluley, senior technology consultant at Sophos, says Russian authorities won't likely take any action, so even with the CERT's breadth of intelligence on the alleged attacker, it may ultimately be a dead end. "Relations between Georgia and Russia are strained at the best of times, but if this man really does have connections with the Russian secret service, it's hard to imagine that action will be taken by the Moscow authorities against him," Cluley said today in a blog post.

Stephen Cobb, security evangelist of ESET, says the Georgian CERT's tactic could act as a deterrent. "It can be hard for cross-border law enforcement efforts to produce convictions, but putting faces on watch lists and wanted lists can crimp the travel plans of bad guys and make their lives a little less comfortable," Cobb says.

And even if this particular hacker is blacklisted in his own nation, like any persistent attacker, there will be others to take his place. But knocking these attackers "off the battlefield" is still a key strategy, CrowdStrike's Alperovitch says. "If you look at the really good ones ... they have a few hundred or a few thousand of them. Taking [some of] them off the battlefield, even though they are massive organizations, would still have a huge impact."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/20/2012 | 6:01:58 PM
re: Say 'Cheese': Georgian Nation Makes Offense Its Defense
I wouldn't do it myself, but it's hard to blame anyone but the hacker who got hacked himself. They who live by the sword shall die by the sword.
User Rank: Ninja
11/5/2012 | 3:32:37 PM
re: Say 'Cheese': Georgian Nation Makes Offense Its Defense

like a great offensive and strategy to gain back your companies
stolen data. Does sound a bit sketchy when discussing the legality of
it, but is it stealing if it is already yours? When does the company
draw the line? What happens when you get the angry IT security guy
who wants to teach the hacker a lesson, and goes to far? If security
is an issue and it is that severe of a threat then maybe I would
invest in other options for information security. So am I
understanding this correctly CERT only intervene after an issue or
data has been stolen or are they making moves based upon who they
believe to be threats. If they do not wait, then what difference are
they compared to the hackers they are seeking out?



COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
PUBLISHED: 2020-10-29
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.