By Khatuna Mshvidobadze, Senior Fellow at Rondeli Foundation, Professorial Lecturer at The George Washington University and Adjunct Professor of Cybersecurity at Utica College, NY.
Once again, the country of Georgia has been the target of extensive cyber-attacks. And once again, cyber security advocates are asking why the country’s defenses remain so tenuous. On October 28, thousands of Georgian websites—government, the court system, media, NGOs and academia—were defaced. Replacing their landing pages was electronic graffiti featuring images of former President Mikheil Saakashvili with the words “I’ll be back!” glimmering across the screens of thousands of surprised users.
Anti-corruption fighter Saakashvili was President of Georgia 2004-2013. He introduced sweeping reforms and set Georgia on a path toward membership in the European Union and the North Atlantic Treaty Organization (NATO). It was this western orientation that prompted Russia to invade Georgia in 2008, in the first-ever combined kinetic and cyber war. Saakashvili is no stranger to the hands of anti-Georgian hackers. He is, for now, unable to return to Georgia due to the current government’s dubious allegations of corruption.
As the extent of the most recent cyber-assault was revealed, the Ministry of Internal Affairs released a statement. “At this time, access to most websites has been restored. The rest will also be fully operational in the nearest future…the cyberattack style on each website was identical. The investigation is underway,” the Ministry said (In Georgian). No further details on the compromised systems were disclosed.
But, not for the first time, doubts linger about the promptness of the government’s investigation. In 2018, TBC Bank, a leading bank in Georgia, experienced massive cyberattacks. At the time, Mamuka Khazaradze, co-founder of the bank, stated (In Georgian) that the “TBC IT team was able to reveal from where the attack originated, and information was provided to the Ministry of Internal Affairs.” Nonetheless, the case has not yet been investigated.
Most of the websites affected by the current wave of attacks are hosted by Georgian local web-hosting providers Pro-Service and Serv.ge. The attacks were successful due to poor security measures, according to the Georgian cybersecurity community. Vulnerabilities in the applications, databases, operating systems or networks invite attack.
“Yes, the attack was massive but unsophisticated. It appears that a malware component was not utilized,” Andro Gotsiridze, former Chief of the Cyber Security Bureau, told the author in a telephone conversation. He continued, “What happened this week might well be an intelligence-by-attack-strategy,” testing vulnerabilities, defenses and resilience of the country. We had better be prepared. This attack may well be implemented by a hostile country.” In the Georgian context, that could only mean Russia.
In a simple web defacement, the perpetrator exploits a vulnerability to compromise the targeted server and modify web pages. The appearance of the pages, typically the landing or index page is thus changed, displaying the perpetrator’s graffiti. Once a backup of the index page file is uploaded, it goes back to normal.
Nonetheless, even a simple defacement can cause a loss of traffic and significant damage to a business. Moreover, in some cases, defacement can be just a beginning. Later, it may be revealed that perpetrators inserted a malicious code that allows them to sustain control over the entire server.
Of course, we do not know, to what level each affected system was penetrated, however, given the magnitude, breadth and coordination of these attacks, Georgia’s yet limited abilities to deal with cyber-attacks are recalled.
This is not the first time that Georgia has experienced website defacement. One of the many methods used in 2008 was defacement carried out by SQL injection techniques, a type of attack that gives an attacker control over the web application database by inserting arbitrary SQL code into a database query. In such attacks, hackers can extract or even alter or destroy data in the system. This time, however, some Georgian cybersecurity experts argue that SQL injection techniques were not used.
This is what Mr. Gotsiridze meant when he called the attacks unsophisticated. According to Trend Micro, most defacements are conducted without malware insertion. Only 15% of web defacements included a malware component in recent years.
Since 2008, 20% of Georgian territory has been occupied by Russia. In every aspect except sustained gunfire, the war continues, not least in the cyber arena. Georgia has been under continuous cyberattack from its northern neighbor. A frequent perpetrator is the Russian advanced persistent threat (APT) group known as Fancy Bear or APT 28, which is associated with the GRU, Russian military intelligence. According to a report from the respected cybersecurity company FireEye, this group attacked websites of the Georgian Ministry of Internal Affairs and Ministry of Defense. These attacks were advanced, persistent and complex. Hackers penetrated a network via spear-phishing techniques and carried out long-running cyber espionage campaigns. Fancy Bear has also committed cyberattacks that might have furthered Russian government interests against western countries and was a major player in the penetrations of the American Democratic Party during the 2016 elections.
This time, however, the attacks were massive but unsophisticated. It is not Fancy Bear’s signature, but that does not rule out another state or state-sponsored actor.
“It may be a deliberate attack by a state actor,” says Georgian cybersecurity expert Anzor Mekhrishvili (in Georgian). “It may also be revenge by friends of Russian hacker Yaroslav Sumbaev” who was extradited by Georgia to Russia on October 24. Sumbaev was wanted by Russian law enforcement authorities for cybercrime charges and alleged involvement in the murder case of a Moscow economic crime investigator. Frankly, given the magnitude and the organization of the most recent attacks, the friends of Sumbaev hypothesis seems unlikely.
Do we know who might have perpetrated this attack? Of course, we cannot be sure, but based on Georgia’s previous experiences, can one come up with a possible hypothesis? Was it a state actor conducting intelligence-by-attack, as Mr. Gotsiridze suggests, or was it just a false flag operation? This is yet to be determined. What is crystal clear, however, is that the country’s cyber capabilities must be better addressed. Vigilance must become a call to action. It should come as no surprise that geopolitical conflict also operates in the cyber realm. Georgia must improve its cyber defense and resilience.
The opinions and conclusions expressed are those of the author and do not necessarily reflect the views of the Georgian Foundation for Strategic and International Studies.