Counterattack! Suspected hacker caught on HIS WEBCAM, while spying on Georgia

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Suspected hackerThe country of Georgia has long blamed hackers based in Russia for attacks upon its computer networks, injecting malicious code into websites, and planting spyware to steal classified information.

Now the Georgian government’s CERT (Computer Emergency Response Team) claims it has linked an internet attack to Russia’s security services, and even turned the tables on a hacker it believes was involved by secretly taking over his computer and taking video footage of him.

In a 27 page report [PDF], the Georgian government explains how in early 2011 Georgian news websites were hacked in order to exploit vulnerabilities, and spread malware that hijacked infected computers and searched for sensitive documents.

GeorgiaIn addition to stealing Word documents, the malware could take screenshots and was later enhanced to spread via networks and eavesdrop on conversations via infected PCs’ webcams.

Sign up to our free newsletter.
Security news, advice, and tips.

According to the CERT-Georgia report, an analysis of the attack’s command-and-control center revealed that at least 390 computers were infected in the attack. 70% of compromised PCs were based in Georgia, with other victims found in the USA, Canada, Ukraine, France, China, Germany and Russia.

Computers hit in Georgia were predominantly based in government agencies, banks and critical infrastructure the report claims.

Georgian officials lay a trap

Georgia’s CERT deliberately infected one of its own PCs with the malware, and planted a ZIP file named “Georgian-Nato Agreement” on its drive, hoping it would prove irresistible for the hacker.

Sure enough the hacker stole the archive file and ran malware that Georgia CERT had planted inside, meaning that now investigators had control over the hacker’s own computer.

This made it relative child’s play to capture images of the suspect at work in front of his PC.

Photos of suspected hacker

I bet he’s regretting not covering up his webcam now.

Aside from capturing video footage of the alleged hacker, the CERT researchers claim that they also found a Russian email conversation on the suspect’s computer in which he gives instruction on how to use his malware and infect targets. Furthermore, the suspected hacker’s city, ISP, email address and other information were also acquired.

Curiously, a domain used by the attackers was registered to an address in Moscow belonging to the Russian Ministry of Internal Affairs, department of logistics – which just happens to be based close to the Russian Secret Service (FSB).

Address in Moscow

Furthermore, according to CERT-Georgia, websites used to control the infected Georgian computers have links with RBN, the notorious Russian Business Network.

Will this hacker ever be brought to justice?

Even though it appears that the Georgian authorities have gathered a lot of information about a man they strongly suspect of involvement in the attacks, it wouldn’t be a surprise if the authorities in Moscow turn a blind eye.

Relations between Georgia and Russia are strained at the best of times, but if this man really does have connections with the Russian secret service, it’s hard to imagine that action will be taken by the Moscow authorities against him.

You can download the full report from the Georgian investigators here [PDF].


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.