Irked by cyberspying, Georgia outs Russia-based hacker -- with photos

In an unprecedented move, Georgia reveals startling details of a hacker it says is stealing its confidential information

In one of the photos, the dark-haired, bearded hacker is peering into his computer's screen, perhaps puzzled at what's happening. Minutes later, he cuts his computer's connection, realizing he has been discovered.

In an unprecedented move, the country of Georgia -- irritated by persistent cyber-spying attacks -- has published two photos of a Russia-based hacker who, the Georgians allege, waged a persistent, months-long campaign that stole confidential information from Georgian government ministries, parliament, banks and NGOs.

The photos are contained in a report that alleges the intrusions originated from Russia, which launched a five-day military campaign in August 2008 against Georgia that was preceded by a wave cyberattacks.

The photos of the hacker were taken after investigators with the Georgian government's Computer Emergency Response Team ( managed to bait him into downloading what he thought was a file containing sensitive information. In fact, it contained its own secret spying program.

The hacker had been tricked and hacked, with his mugshot taken from his own webcam.

Georgia began investigating the cyber spying linked to the hacker in March 2011 after a file on a computer belonging to a government official was flagged as "suspicious" by a Russian antivirus program called Dr. Web.

The investigation uncovered a sophisticated operation that planted malicious software on numerous Georgian news websites, but only on pages with specific articles that would interest the kinds of people that the hacker wanted to target, said Giorgi Gurgenidze, a cyber security specialist with, which handles computer security incidents.

The news stories selected to attract victims had headlines such as "NATO delegation visit in Georgia" and "US-Georgian agreements and meetings," according to the report, jointly published with Georgia's Ministry of Justice and the LEPL Data Exchange Agency, which is part of the ministry.

CERT-Georgia won't say exactly who that first infected computer belonged to. But what followed is best described as an epic electronic battle between Georgia's good guys and a highly skilled hacker -- or likely team of hackers -- based in Russia.

The agency quickly discovered that 300 to 400 computers located in key government agencies were infected and transmitting sensitive documents to drop servers controlled by the hacker. The compromised computers formed a botnet nicknamed "Georbot."

The malicious software was programmed to search for specific keywords -- such as USA, Russia, NATO and CIA -- in Microsoft Word documents and PDFs, and was eventually modified to record audio and take screenshots. The documents were deleted within a few minutes from the drop servers, after the hacker had copied the files to his own PC.

Georgia blocked connections to the drop servers receiving the documents. The infected computers were then cleansed of the malware. But despite knowing his operation had been discovered, the hacker didn't stop. In fact, he stepped up his game.

In the next round, the hacker sent a series of emails to government officials that appeared to come from the president of Georgia, with the address "" Those emails contained a malicious PDF attachment, purportedly containing legal information, with an exploit that delivered malware.

Neither the exploit nor the malware were detected by security software.

The PDF attacks used the XDP file format, which is an XML data file that contains a Base64 encoded copy of a standard PDF file. The method at one time evaded all antivirus software and intrusion detection systems. It was only in June of this year that the U.K.'s Computer Emergency Response Team warned of it after its government agencies were targeted. Georgia saw such attacks more than a year prior to the warning.

That was one of the major clues that Georgia wasn't dealing with an average hacker, but one who may have been part of a team with solid knowledge of complex attacks, cryptography and intelligence.

"This guy had high-class skills," Gurgenidze said.

Throughout 2011, the attacks continued and became more sophisticated. Investigators found the hacker was connected with at least two other Russian hackers as well as a German one. He was also active on some cryptography forums. Those clues, along with some weak security practices, allowed investigators to get closer to him.

Then, an irresistible trap was set.

They allowed the hacker to infect one of their computers on purpose. On that computer, they placed a ZIP archive entitled "Georgian-Nato Agreement." He took the bait, which caused the investigators' own spying program to be installed.

From there, his webcam was turned on, which resulted in fairly clear photos of his face. But after five to 10 minutes, the connection was cut off, presumably because the hacker knew he had been hacked. But in those few minutes, his computer -- like the ones he targeted in the Georgian government -- was mined for documents.

One Microsoft Word document, written in Russian, contained instructions from the hacker's handler over which targets to infect and how. Other circumstantial evidence pointing to Russian involvement included the registration of a website that was used to send malicious emails. It was registered to an address next to the country's Federal Security Service, formerly known as the KGB, the report said.

"We have identified Russian security agencies, once again," it concludes.

Because of the strained relations between Russia and Georgia, it's unlikely the hacker -- whose name was not revealed -- would ever be prosecuted if he lives in Russia.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydata breachlegalExploits / vulnerabilitiesIdentity fraud / theftdata protectionmalwarecybercrime

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place