Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:50 PM
Connect Directly

Say 'Cheese': Georgian Nation Makes Offense Its Defense

Georgia's CERT tricks alleged Russian hacker with phony file, records him via his computer, and ID's him

Calls for offensive security are all the rage these days for derailing cyberespionage, and organizations such as the nation of Georgia's Computer Emergency Response Team, are aggressively embracing it: The CERT revealed in a new report that it set a trap that basically hacked an alleged cyberspy and recorded his activity via his computer's camera.

The Georgian CERT, while investigating a widespread cyberspying campaign against its ministries, parliament, critical infrastructure organizations, banks, and non-government organizations during 2011 and 2012, planted a malware-rigged ZIP file on one of its lab PCs with the juicy name "Georgian-Nato Agreement." The hacker ultimately grabbed the file and opened it, which ran malware that unbeknownst to him gave the CERT control over his machine.

The video surveillance and access to his machine provided the CERT with evidence, it says, that ties him to German and Russian hackers. The CERT also pinpointed the city where he's based, his ISP, his email, and other incriminating information. "Then captured got video of him, personally. We have captured process of creating new malicious modules. We have Obtained Russian Document, from email, where he was giving someone instructions how to use this malicious software and how to infect targets," the report says.

Whether ID'ing the alleged hacker will have any impact is unclear, but the Georgian CERT's actions represent what security experts consider the extreme in offensive security, hacking back. Most experts don't recommend that tack, mainly since it enters murky legal waters.

[How naming names of hackers and pinpointing the beneficiaries of cyberspying and cybercrime attacks translate into a new kind of defense. See Turning Tables: ID'ing The Hacker Behind The Keyboard. ]

Dmitri Alperovitch, co-founder and CTO of CrowdStrike, pans hacking back as illegal. But there are situations where victims in the private sector could be covered by common law to defend their property – or data -- by stealing it back. "The private sector has the authority under limited circumstances to go into that serer and get their data back," Alperovitch says.

But that's only if the FBI or other authorities are unwilling or unable to step in, he says. There is no precedent here, however, he says, so there's no way to know how the courts would rule on the legalities of taking back stolen data. "You could only access your data, and would have no authority to destroy that [the attacker's] server or take any other action, we believe," he says.

The Georgian CERT says it infiltrated the mini-botnet, including the command-and-control servers, used to hack into its interests. There were 390 infected machines, 70 percent of which were in Georgia, 5 percent in the U.S., 4 percent in Canada, Ukraine, France, and China, 3 percent in Germany, and 3 percent in Russia.

The CERT blocked the six C&C IP addresses and alerted the infected organizations and helped them clean up their infections. It also "cooperated with" the FBI, U.S. Department of Homeland Security, U.S. Secret Service, other law enforcement, US-CERT, Governmental-CERT-Germany, CERT-Ukraine, CERT-Polska, and Microsoft's Cybersecurity Division in the investigation as well as providing information to security companies for blacklisting purposes.

According to the CERT's report, the CERT discovered evidence that indicated that the hacker was tied to official Russian state organizations – specifically, Warynews.ru , the site that controlled infected Georgian computers; IP and DNS servers that belong to the Russian Business Network, and www.rbc.ru, which was included in the malware code itself.

Graham Cluley, senior technology consultant at Sophos, says Russian authorities won't likely take any action, so even with the CERT's breadth of intelligence on the alleged attacker, it may ultimately be a dead end. "Relations between Georgia and Russia are strained at the best of times, but if this man really does have connections with the Russian secret service, it's hard to imagine that action will be taken by the Moscow authorities against him," Cluley said today in a blog post.

Stephen Cobb, security evangelist of ESET, says the Georgian CERT's tactic could act as a deterrent. "It can be hard for cross-border law enforcement efforts to produce convictions, but putting faces on watch lists and wanted lists can crimp the travel plans of bad guys and make their lives a little less comfortable," Cobb says.

And even if this particular hacker is blacklisted in his own nation, like any persistent attacker, there will be others to take his place. But knocking these attackers "off the battlefield" is still a key strategy, CrowdStrike's Alperovitch says. "If you look at the really good ones ... they have a few hundred or a few thousand of them. Taking [some of] them off the battlefield, even though they are massive organizations, would still have a huge impact."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/20/2012 | 6:01:58 PM
re: Say 'Cheese': Georgian Nation Makes Offense Its Defense
I wouldn't do it myself, but it's hard to blame anyone but the hacker who got hacked himself. They who live by the sword shall die by the sword.
User Rank: Ninja
11/5/2012 | 3:32:37 PM
re: Say 'Cheese': Georgian Nation Makes Offense Its Defense

like a great offensive and strategy to gain back your companies
stolen data. Does sound a bit sketchy when discussing the legality of
it, but is it stealing if it is already yours? When does the company
draw the line? What happens when you get the angry IT security guy
who wants to teach the hacker a lesson, and goes to far? If security
is an issue and it is that severe of a threat then maybe I would
invest in other options for information security. So am I
understanding this correctly CERT only intervene after an issue or
data has been stolen or are they making moves based upon who they
believe to be threats. If they do not wait, then what difference are
they compared to the hackers they are seeking out?



US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...