A Russian-based hacker has been unmasked as one of the attackers behind a long-standing campaign aimed at compromising computers belonging to Georgian ministries, parliament, banks and NGOs, and stealing information from them seemingly at the behest of Russian security agencies.
The Georgian Ministry of Justice and its LEPL Data Exchange Agency along with the nation’s CERT have released a report containing two pictures of the aforementioned hacker.
In the report, they tell of the initial discovery of the malware on a government-owned computer, and the investigation that revealed that additional 300 to 400 computers located in various government agencies were also compromised.
The attack began with the compromise of specific pages on Georgian news sites – pages that were likely to be visited by employees of the aforementioned targeted institutions. These “watering hole” sites were rigged to exploit vulnerabilities to automatically download the malware onto the targets’ computers and, according to the report, no AV solution was capable of detecting it at the time.
Once installed, the malware would search for documents containing specific words (NATO, CIA, Russia, USA, and others) and send them to remove servers. It would do the same with screenshots, video and audio recordings it made by activating the machine’s microphone and webcam.
It was also aimed at stealing certificates, scan the local network to identify other hosts on the same network, and allowed the attacker to execute arbitrary commands on the infected system.
The CERT unearthed a number of remote servers to which the information was sent, and blocked connections to them and cleaned the infected computers.
But the hacker was undeterred by this move, and he continued the attack using another approach: spear-phishing emails to individuals within those organization, seemingly coming from the administrator of the Georgian president’s official domain.
The emails contained a booby-trapped PDF file that would exploit system or software vulnerabilities – often 0-day flaws – as soon as it was opened, and set up the malware on the machine. Once again, the attacker managed to hide the real nature of the file from existing antivirus solutions.
The sheer complexity of the malware – the self-created packer that made the malware undetectable, the base-encoded plaintext update mechanism that allowed it to evade IPS/IDS solutions, and the ability to open a network socket at ring0 level and thusly evade firewalls – lead them to believe that the attackers are highly skilled individuals, and the goal and longevity of the attacks convinced them that behind it were state-sponsored hackers.
Further investigation into the C&C servers, communication mechanisms and the malicious files lead them repeatedly to assets belonging to the Russian Ministry of Defense and that of Internal Affairs, and the Russian Business Network – a group of hackers that were linked to the 2008 cyber attacks against Georgia.
Finally, they decided to set a trap. The created a ZIP file named “Georgian-Nato Agreement” containing the very malware they were targeted with, then planted it on one of their own infected laboratory PCs.
When the file was harvested and sent to the remote server, the attacker opened it and got his machine infected. The Georgian team proceeded to comb his computer for incriminating documents, and found some that linked him to other Russian and German hackers.
They also discovered emails containing instructions he had sent to someone about how to use the malware, and instructions about potential targets and infection methods from his own handler, as well as information that unearthed his home city, ISP, email address on Gmail, and more.
Finally, in the ten minutes that it took him to discover the compromise and shut the computer off, they even managed to capture him on video.
Given the motivation behind the attacks and the extremely strained relationship between the Russian Federation and Georgia, the hacker is unlikely to ever be arrested and face charges for his involvement in them.
Still, I can’t help feeling that making his face public brought at least some satisfaction to the investigating team.