The man is believed to be responsible for the Georbot botnet

Oct 31, 2012 09:37 GMT  ·  By

In March 2011, CERT-Georgia launched an investigation on a series of cyberattacks that leveraged information-stealing pieces of malware to gain access to classified documents from various organizations, including ministries, the parliament, critical infrastructure, banks and NGOs.

In order to infect computers, the attacker utilized two clever strategies. According to the report issued by CERT-Georgia, one of them was to compromise various news websites and alter them to serve malware.

However, only specific pages were hijacked, in particular ones that would be visited by individuals such as government officials. For instance, pages that mentioned NATO or agreements between Georgia and the US were set up to push the malicious software.

Another technique to infect computers was to send government officials emails that purported to come from the Georgian president himself, ITWorld’s Jeremy Kirk reveals.

The malware was designed to search for specific file formats that might have contained sensitive information and upload them to a remote command and control server.

In the end, the Georbot botnet infected 390 computers, 70% of which from Georgia, 5% from the US, 4% from Canada and 3% from Germany and Russia.

To mitigate the threat, Georgian authorities blocked the command and control servers, helped affected organizations clean up their devices, and collaborated with various security companies and law enforcement agencies.

In order to identify the perpetrator, CERT-Georgia planted a cleverly designed zip file called “Georgian-Nato Agreement” on one of the servers they knew the hacker would target.

They placed a piece of malware of their own inside the archive, which helped them not only obtain information about the attacker's location and identity, but also make a video of the man while he was working on his computer.

After snooping around on his computer, investigators found instructions on how to utilize malicious software and how to infect targets. They were also able to link him to other cybercriminals from Russia and Germany, and even to Russian security agencies.

However, considering the country’s relations with Russia, it’s unlikely that anything can be done about it.