Subscribe to CIO Magazine »

Cyber-espionage botnet tied to country of Georgia website remains a mystery

A security firm in Slovakia is asserting that a website operated by the country of Georgia has been used as part of a botnet to conduct cyber-espionage against that country's residents.

But does that mean Georgia is conducting the cyber-espionage, or that its website run by the Georgia government is compromised by enemies of the country? Because the botnet's command-and-control operations lack some elements of stealth that might be expected, the Slovakian security firm that spotted it -- ESET -- reports it may simply be "a group of cyber criminals trying to find sensitive information in order to sell it to other organizations."

MORE SECURITY NEWS: Most fraud against business from bad checks, not electronic payments

Win32/Georbot has a command-and-control structure that has exploited the website of the Georgian government for some time to drive some controls, says ESET researcher Righard Zwienenberg. When ESET detected evidence of Georbot as malware in January, it contacted the Georgian CERT. As it turns out, the Data Exchange Agency of the Ministry of Justice of Georgia and its national CERT were fully aware of the situation as early as 2011 and have been monitoring Georbot, now in cooperation with ESET.

Georbot is primarily a cyber-espionage botnet that has infected only about 200 computers that appear to be mainly in the country of Georgia, though about 30% of them are in the U.S., Germany and Russia. It's not clear who these individuals are, Zwienenberg says, but Georbot is "looking on their hard drives for documents," and can also capture audio and video when the computer's webcam and microphone are in use.

Georbot is also remotely controlled to steal documents and certificates, and look for certain words in documents, among them "ministry," "service," "secret," "top," "agent," "army," "USA," "Russia," "Georgia," "major," "Colonel," "FBI," "CIA," "phone number," "east," "program," "KGB," "FSB" and other political and personal information.

Based on ESET's analysis, Georbot does have features to hide itself. But it's not especially sophisticated since it has left some information unencrypted, lending doubt to whether a capable government spy operation from any country would be operating this. ESET got a look at the control panel for it to analyze what it was doing.

"The most likely hypothesis is that Win32/Georbot was created by a group of criminals trying to find sensitive information in order to sell it to other organizations," ESET's report on this concludes. "They might be operating from Georgia or any country nearby and have been 'lucky' enough to gain control of a government website and are now using it as part of their operation."

The development of the Georbot malware seems to be ongoing, with fresh variants discovered as recently as March 19, says ESET.

Zwienenberg acknowledges he doesn't know why the government of Georgia has allowed it to operate so long, and says there's only so much the Georgian CERT or anyone else that ESET has contacted in Georgia will say about it. "It's possible someone from the Georgian government was running it," he says, adding that is pure speculation on his part. But Georbot has so far shown to be very targeted against a fairly small number of individuals associated with the country of Georgia.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Read more about wide area network in Network World's Wide Area Network section.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: CERT, FBI, IDG, LAN
References show all
Comments are now closed.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
  • The Future of IT: From Chaos to Service Automation
    Technology has become the heart and soul of every business, but IT workload and system complexity become more challenging. This whitepaper details the future of IT, the major challenges facing CIOs, and the three ways to transform IT so CIOs can lead the way.
    Learn more »
  • Migrating from BlackBerry? See Our Trusted Method.
    Are your business leaders demanding a migration plan from BlackBerry? Let the mobile experts at Good help you migrate without migraines. Our Professional Services team has deep experience supporting Fortune 500 organizations through the transition; read this sample planning chart and see our trusted method.
    Learn more »
  • All Flash and Databases - Storage Switzerland
    This webcast explores how All-Flash enterprise storage compares to traditional disk-centric arrays. Learn how to best leverage Flash so databases thrive and limitations of I/O disappear, while exploring the pitfalls and peculiarities of Flash, and how to optimise its performance as a storage solution to ensure reliance, predictability and cost savings for a variety of enterprise workloads.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Salary Calculator

Supplied by

View the full Peoplebank ICT Salary & Employment Index

Recent comments