Cyber-espionage botnet tied to country of Georgia website remains a mystery
- 23 March, 2012 02:27
A security firm in Slovakia is asserting that a website operated by the country of Georgia has been used as part of a botnet to conduct cyber-espionage against that country's residents.
But does that mean Georgia is conducting the cyber-espionage, or that its website run by the Georgia government is compromised by enemies of the country? Because the botnet's command-and-control operations lack some elements of stealth that might be expected, the Slovakian security firm that spotted it -- ESET -- reports it may simply be "a group of cyber criminals trying to find sensitive information in order to sell it to other organizations."
MORE SECURITY NEWS: Most fraud against business from bad checks, not electronic payments
Win32/Georbot has a command-and-control structure that has exploited the website of the Georgian government for some time to drive some controls, says ESET researcher Righard Zwienenberg. When ESET detected evidence of Georbot as malware in January, it contacted the Georgian CERT. As it turns out, the Data Exchange Agency of the Ministry of Justice of Georgia and its national CERT were fully aware of the situation as early as 2011 and have been monitoring Georbot, now in cooperation with ESET.
Georbot is primarily a cyber-espionage botnet that has infected only about 200 computers that appear to be mainly in the country of Georgia, though about 30% of them are in the U.S., Germany and Russia. It's not clear who these individuals are, Zwienenberg says, but Georbot is "looking on their hard drives for documents," and can also capture audio and video when the computer's webcam and microphone are in use.
Georbot is also remotely controlled to steal documents and certificates, and look for certain words in documents, among them "ministry," "service," "secret," "top," "agent," "army," "USA," "Russia," "Georgia," "major," "Colonel," "FBI," "CIA," "phone number," "east," "program," "KGB," "FSB" and other political and personal information.
Based on ESET's analysis, Georbot does have features to hide itself. But it's not especially sophisticated since it has left some information unencrypted, lending doubt to whether a capable government spy operation from any country would be operating this. ESET got a look at the control panel for it to analyze what it was doing.
"The most likely hypothesis is that Win32/Georbot was created by a group of criminals trying to find sensitive information in order to sell it to other organizations," ESET's report on this concludes. "They might be operating from Georgia or any country nearby and have been 'lucky' enough to gain control of a government website and are now using it as part of their operation."
The development of the Georbot malware seems to be ongoing, with fresh variants discovered as recently as March 19, says ESET.
Zwienenberg acknowledges he doesn't know why the government of Georgia has allowed it to operate so long, and says there's only so much the Georgian CERT or anyone else that ESET has contacted in Georgia will say about it. "It's possible someone from the Georgian government was running it," he says, adding that is pure speculation on his part. But Georbot has so far shown to be very targeted against a fairly small number of individuals associated with the country of Georgia.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.
Read more about wide area network in Network World's Wide Area Network section.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Queensland government to provide 200 services online by 2015
Call Centers Suffer From Big Data Overload
CIO 100: Carsales wins top gong for innovation
How to secure passwords and other critical numbers
Australian National University streamlines IT
Virtual Server Backup Software Buyer’s Guide
Virtualization affords organizations multiple opportunities to reduce power, optimize hardware utilization, improve application availability and ultimately drive down costs. In light of its benefits, it is no surprise that virtualization penetration has surpassed 50% of all server workloads and continues to grow. In this guide, we evaluate prominent virtual server backup software solutions and identify their strengths and weaknesses.
Best Practice in BYOD
The key trend affecting enterprise mobility today can be summarized in four letters: BYOD – Bring Your Own Device. As the number of end-users bringing devices into your organization grows, so does the need for an effective Enterprise Mobility Management (EMM) solution. Learn how to manage devices across multiple platforms all from a single, centralised and unified management console. Download for more!
Power of Three: Building Mobile Initiatives Guided by Business Goals, Technology and Governance
The use of powerful mobile devices has become so widespread, industry leaders in almost every sector have embraced mobility solutions as central elements of their IT and business operations. As mobile budgets grow, so does the influence of business units on mobility strategy. However, without a comprehensive strategy that encompass business goals, policies and processes, then initiatives into mobility will struggle to deliver the expected benefits. Click to download!