The Georgian CERT, while investigating a widespread cyberspying campaign against its ministries, parliament, critical infrastructure organizations, banks, and non-government organizations during 2011 and 2012, planted a malware-rigged ZIP file on one of its lab PCs with the juicy name "Georgian-Nato Agreement." The hacker ultimately grabbed the file and opened it, which ran malware that unbeknownst to him gave the CERT control over his machine.
The video surveillance and access to his machine provided the CERT with evidence, it says, that ties him to German and Russian hackers. The CERT also pinpointed the city where he's based, his ISP, his email, and other incriminating information. "Then captured got video of him, personally. We have captured process of creating new malicious modules. We have Obtained Russian Document, from email, where he was giving someone instructions how to use this malicious software and how to infect targets," the report says.
Whether ID'ing the alleged hacker will have any impact is unclear, but the Georgian CERT's actions represent what security experts consider the extreme in offensive security, hacking back. Most experts don't recommend that tack, mainly since it enters murky legal waters.
[How naming names of hackers and pinpointing the beneficiaries of cyberspying and cybercrime attacks translate into a new kind of defense. See Turning Tables: ID'ing The Hacker Behind The Keyboard. ]
Dmitri Alperovitch, co-founder and CTO of CrowdStrike, pans hacking back as illegal. But there are situations where victims in the private sector could be covered by common law to defend their property – or data -- by stealing it back. "The private sector has the authority under limited circumstances to go into that serer and get their data back," Alperovitch says.
But that's only if the FBI or other authorities are unwilling or unable to step in, he says. There is no precedent here, however, he says, so there's no way to know how the courts would rule on the legalities of taking back stolen data. "You could only access your data, and would have no authority to destroy that [the attacker's] server or take any other action, we believe," he says.
The Georgian CERT says it infiltrated the mini-botnet, including the command-and-control servers, used to hack into its interests. There were 390 infected machines, 70 percent of which were in Georgia, 5 percent in the U.S., 4 percent in Canada, Ukraine, France, and China, 3 percent in Germany, and 3 percent in Russia.
The CERT blocked the six C&C IP addresses and alerted the infected organizations and helped them clean up their infections. It also "cooperated with" the FBI, U.S. Department of Homeland Security, U.S. Secret Service, other law enforcement, US-CERT, Governmental-CERT-Germany, CERT-Ukraine, CERT-Polska, and Microsoft's Cybersecurity Division in the investigation as well as providing information to security companies for blacklisting purposes.
According to the CERT's report, the CERT discovered evidence that indicated that the hacker was tied to official Russian state organizations – specifically, Warynews.ru , the site that controlled infected Georgian computers; IP and DNS servers that belong to the Russian Business Network, and www.rbc.ru, which was included in the malware code itself.
Graham Cluley, senior technology consultant at Sophos, says Russian authorities won't likely take any action, so even with the CERT's breadth of intelligence on the alleged attacker, it may ultimately be a dead end. "Relations between Georgia and Russia are strained at the best of times, but if this man really does have connections with the Russian secret service, it's hard to imagine that action will be taken by the Moscow authorities against him," Cluley said today in a blog post.
Stephen Cobb, security evangelist of ESET, says the Georgian CERT's tactic could act as a deterrent. "It can be hard for cross-border law enforcement efforts to produce convictions, but putting faces on watch lists and wanted lists can crimp the travel plans of bad guys and make their lives a little less comfortable," Cobb says.
And even if this particular hacker is blacklisted in his own nation, like any persistent attacker, there will be others to take his place. But knocking these attackers "off the battlefield" is still a key strategy, CrowdStrike's Alperovitch says. "If you look at the really good ones ... they have a few hundred or a few thousand of them. Taking [some of] them off the battlefield, even though they are massive organizations, would still have a huge impact."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.