Georgia Counterhacks Russian Hacker with His Own Malware! Takes Pictures of Him

As the Russia-Georgia War showed us in 2008, there is no love lost between Russia, and Georgia who declared independence from them in 1991. This was actually the second time that Georgia declared independence from Russia. They broke away from Russia in 1918 during the Russian Civil War, only to be attacked by the Red Army and re-absorbed in 1921 during the Soviet-Georgian war.

Georgia claims that Russia is still attacking them, but now in the cyber realm, and they offer as proof, video snapshots of an alleged Russian hacker that was caught in a counter-hack sting!

Since the Russia-Georgia war in 2008, Georgia has claimed that Russian hackers were infiltrating their computer systems.

The Georgian Computer Emergency Response Team (CERT) has released a 27 page document(Pdf) explaining a Russian Botnet that was detected.

The report also includes a counter-hacking operation that netted a hacker that they claim has ties to the Russian government!

Once infected, according to the report, Russian malware used key word searches for sensitive words inside documents on Georgian machines.

The malware ran from a control panel and uploaded stolen information to command and control servers. The malware was also able to steal certificates, and configuration files, execute remote commands, scan for other targets on the network and most importantly in this case –  record audio and video.


The attacks focused on Georgian government sites, critical infrastructure, banks and other non-government organizations. The attacker was able to record live video, and update and modify the malware code from the Command & Control panel.

The Georgian CERT team began dissecting and analyzing the malicious attack. When backtracked, one of the domains used in the attack was owned by the Russian Ministry of Internal Affairs, Department of Logistics, which is located right next to the Russian FSB.

Going a step further, they infected one of their own machines with the Botnet and put a tempting file on the computer named “Georgian-Nato Agreement”. This file, according to the report, was infected with the SAME MALWARE that the botnet was using, except this time it connected to Georgian controlled systems!

Unbelievably a suspected Russian hacker fell for it, stealing the file and becoming infected with their own malware. They not only got screenshots of the hacker through his own webcam, but also were able to recover his e-mails, location and even watched him create new modules for the Botnet!

Of course I am sure Russia will deny the allegations, and I doubt the hacker will be arrested, especially if he has ties with the Russian government. But Georgia has some pretty convincing proof.

Move over Stuxnet, Say Hello to the new Cyberweapon: “Flame”

(Screenshot of Iran CERT warning for “Flame” Malware)

Yesterday Iran’s Computer Emergency Response Team released a warning about a new modular malware that resembled Stuxnet and Duqu. Dubbed “Flame”, the new cyberweapon is causing quite a stir in the media with it’s “advanced features and complexity”.

But looking at the malware’s features disclosed by Iran’s CERT team, it doesn’t seem very game stopping:

  • Distribution via removable medias
  • Distribution through local networks
  • Network sniffing, detecting network resources and collecting lists of vulnerable passwords
  • Scanning the disk of infected system looking for specific extensions and contents
  • Creating series of user’s screen captures when some specific processes or windows are active
  • Using the infected system’s attached microphone to record the environment sounds
  • Transferring saved data to control servers
  • Using more than 10 domains as C&C servers
  • Establishment of secure connection with C&C servers through SSH and HTTPS protocols
  • Bypassing tens of known antiviruses, anti malware and other security software
  • Capable of infecting Windows Xp, Vista and 7 operating systems
  • Infecting large scale local networks

All of these “threats” have been seen before. I especially liked the “bypassing tens of known anti-viruses…” line.

But there are several features that do set “Flame” apart from the pack. First of all the malware is very large, a whopping 20MB. Also, it contains several files and seems to be able to attack using swappable modules. But there is more.

According to an article on The Register, Flame has the following features:

  • It has been active for at least 2 years, but possibly 5-8 years
  • Contains exploits for known and fixed vulnerabilities
  • Uses open source libraries
  • Uses a SQLlite database
  • Uses some Scripts written in Lua (of Angry Birds fame)

All the big name security companies that have analyzed it seem to agree that with it’s complexity, it was most likely written by a Nation State and not individuals or small groups.

The malware could have been created by Israel (and possibly the US) as many of the countries that have detected infection would be logical targets for them.

As according to Symantec:

Initial telemetry indicates that the targets of this threat are located primarily in Palestinian West Bank, Hungary, Iran, and Lebanon. Other targets include Russia, Austria, Hong Kong, and the United Arab Emirates. The industry sectors or affiliations of individuals targeted are currently unclear.”

I am not sure of it’s “CyberWeapon” title, as it seems to be an information gatherer. Definitely worth keeping an eye on, but as with “APT” and “Stuxnet”, I am sure the media will beat this topic to death.