Russian hackers beaten at their own game

By Steve Elwart

In the world of cyber espionage, usually an attacker can lurk in the shadows unidentified, but through a combination of skill, timing and luck, one hacker has been exposed for all the world to see.

There are even pictures.

For years, the country of Georgia has accused Russia of making repeated attacks on their computer systems. Georgians have said that Moscow has probed their networks looking for classified information and planting computer viruses on their machines.

Georgia had little concrete evidence to prove these attacks were coming from Russia, but now, thanks to a lot of ingenuity and a little luck, they have not only identified where an attack was originating, but they have been able to put a face on an adversary.

In a recently released report, the Georgian government exposed the cyber attack from Russia and explained how Moscow used classic cyber warfare techniques to invade their national network, spreading a computer virus to steal closely held government information.

In addition to swiping documents, the computer virus could take control of a person’s webcam and take pictures of the victim. Hackers could also tap into the computer’s built-in microphone and listen in on private conversations without anyone the wiser.

In response, Georgia’s Computer Emergency Readiness Team, or CERT, was able to use Russia’s own cyber weapons against them and identify at least 390 computers that were exposed to attack. Seventy percent of the infected computers were based in Georgia, but computers in the United States, Canada, Ukraine, China and countries of Western Europe were also affected.

The infected computers were used primarily by the Georgian Parliament, government ministries, critical national infrastructures and non-government organizations.

In March 2011, CERT believed they were under attack by a hacker after a file on a computer belonging to a government official was flagged as “suspicious” by an antivirus program.

The virus was traced back to several Georgian websites that had been hacked and modified with the embedded virus.

The hacker’s attacks on the Georgian government were remarkably sophisticated. The hacker made his way onto Georgian news websites and infected articles that would attract the sort of readers he wanted to spy on. Only certain pages were infected, pages that would be of interest to just the readers that would have information on their computers the hacker would want to steal.

Once the virus loaded, it could search documents for specific words and then upload those documents to third-party servers for later retrieval.

Georgian news page with virus embedded in the code

The virus was also tuned to infect just those machines that were set to the local time in two time zones in Eastern Europe, the zones that covered Georgia. Even if the computers were located in other parts of the world, if their system time was set for one of these two time zones, they could be infected as well.

When the Georgians first became aware they may be under another attack, they set a trap for the hacker using a computer tool that has been around for over 20 years: the honey pot.

A honey pot is a trap set by computer professionals whose sole purpose is to entice a hacker into stealing it, much like its namesake Winnie the Pooh.

It is placed in a network that is made to look extremely valuable, but actually contains no useful information. In the case of the Georgian attack, the honey pot was a document named, “Georgian-NATO Agreement.”

The file, which contained the very same virus that Russia was using on Georgia, was placed in the document and like a baited hook, left dangling out on the network.

The hacker finally bit.

The hacker stole the file, and when it was opened, the virus was released, giving control of the hacker’s computer to the Georgians.

Picture of Russian hacker from his own webcam

To make the honey pot that much sweeter, CERT was able to get a clear video of the hacker at his computer.

Besides getting a clear video of the hacker, CERT was also able to capture the process of the hacker creating new malicious computer code.

The trap set by the Georgians was good for only 5-10 minutes, after which the hacker seemed to realize he had been hacked and dropped his connection, but by then it was too late.

CERT was able to examine the hackers’ files and determine the hacker’s city, Internet provider and email address. They were also able to retrieve a document, written in Russian, describing how the virus worked and how it targeted machines.

They also determined that the Internet provider the hacker used was registered to an address in Moscow belonging to the Russian Ministry of Internal Affairs, Department of Logistics, just down the street from the Russian Secret Service.

Links were also found tying the hacker to the cyber criminal group “Russian Business Network,” or RBN. One website, www.rbc.ru, was programmed directly into the virus to communicate back to the hackers if every other communication channel is closed. The official name for the website is “Russian Business Consulting,” a site that has links to the RBN.

CERT also discovered that 300 to 400 computers located in key government agencies were infected and transmitting sensitive documents to servers controlled by the hacker. The infected computers were also joined together in a remote controlled network called a “botnet.” This botnet controlled by the hacker was called “Georbot” (which was featured in a CERT report titled, “Georbot: From Russia with Love”).

After discovering the hack and where the documents were going, Georgia blocked connections to the servers receiving the documents, and the infected computers had the virus removed from their hard drives.

But despite the fact that the hacker knew he had been discovered, he redoubled his efforts. He sent a series of emails to government officials that appeared to come from the president of Georgia, with the address “[email protected].” Those emails also contained a virus embedded in an attachment that delivered the virus to those machines as well.

All of the evidence obtained by CERT led Georgia to the conclusion that that the hacker was part of a skilled team of cyber spies that have ties to Russian security agencies.

The hard lesson that Georgia has learned about being vulnerable to cyber attack is applicable to private individuals as well. Most home computer users do not realize that they are bringing into their home a powerful surveillance tool, one that can eavesdrop on conversations, watch their every movement near their computer, and follow every keystroke and mouse click they make.

What happened in Georgia could happen to anyone. There are now entire websites dedicated not only to trading personal information (i.e. credit card numbers and personal data) but also to trading images of “slaves” (usually women) whose computers have been infected and who are being spied upon, without their knowledge.

The other lesson of the Georbot is that criminals are not the only ones that want to spy on people, governments want to as well.

Steve Elwart

Steve Elwart, P.E., Ph.D., is the executive research analyst with the Koinonia Institute and a subject matter expert for the Department of Homeland Security. He can be contacted at [email protected]. Read more of Steve Elwart's articles here.


Leave a Comment