The Ministry of Justice of Georgia was fed up.
Continual, persist cyberattacks that stole confidential information from various government agencies, parliament, banks and NGOs had carried on for months. The activity warranted an investigation, and so in March 2011, Georgia launched an investigation to find the perpetrators.
IT World reports that after tricking a lurking hacker into downloading what he thought was sensitive information, the tables turned, and his mugshot was taken through his own webcam.
The publication recounts how investigators from the Georgian government's Computer Emergency Response Team (Cert.gov.ge) baited the alleged Russian hacker, took his photo, and then published several images in the government's cybersecurity report (.pdf).
The cyberattacks planted malicious software on a number of Georgian websites -- but in a sophisticated move, the software only installed on pages that "would interest the kinds of people that the hacker wanted to target," according to government security specialist Giorgi Gurgenidze.
These targets included headlines recounting U.S.-Georgia relations and NATO.
After discovering several infections, the agency found that up to 400 computers in government agencies were being exploited by the malware. Forming a botnet called "Georbot", sensitive documents were dropped into servers controlled by the hacking parties. Once transferred to a PC from the drop servers, files were wiped to make tracking more difficult.
In addition, the hacker was able to replicate a government email address which contained a malicious PDF attachment that delivered malware.
In order to lay the bait after the attacks increased in severity over the course of 2011, Georgia allowed a computer to be infected on purpose. Placing a ZIP archive named "Georgian-Nato Agreement," once opened, the investigator's own malware was installed.
While the alleged hacker was being photographed, his computer was rapidly mined for sensitive documents. One Word document contained instructions on who and how to hack particular targets; as well as website registration data linked to an address within Russia.
The report concludes that "we have identified Russian security agencies, once again," but considering the volatile political relationship between Russia and Georgia, it is unlikely any prosecution would ever take place.
(via IT World)
Image credit: Cert.gov.ge