Allies Say GRU Hackers Crippled and Defaced Thousands of Websites
The home pages of some websites targeted in Georgia were defaced with this photo of self-exiled former President Mikheil Saakashvili. (Photo: Pirveli TV)
U.S. and U.K. officials are blaming the Russian military for launching an October 2019 cyberattack on the country of Georgia that crippled at least 2,000 government, news media and court websites over the course of one day.
Meanwhile, a few hours after the U.S. and U.K. released their statements about Georgia on Thursday, the New York Times reported that U.S. intelligence officials had recently warned U.S. lawmakers that Russia has already taken steps to interfere in the U.S. presidential election.
Russian Military Involvement
In a statement, U.K. Foreign Secretary Dominic Raab noted that the country’s National Cyber Security Center, which is part of intelligence agency GCHQ and runs the nation’s incident-response team, had determined with the “highest level of probability” that Russia’s military carried out the attack in Georgia.
U.S. Secretary of State Michael Pompeo issued a similar statement, saying that Russia’s military intelligence division – General Staff Main Intelligence Directorate or GRU – was behind the attack.
“This action contradicts Russia’s attempts to claim it is a responsible actor in cyberspace and demonstrates a continuing pattern of reckless Russian GRU cyber operations against a number of countries,” Pompeo says. “These operations aim to sow division, create insecurity and undermine democratic institutions.”
Today’s joint U.S.-British attribution release on GRU operations in Georgia in Oct 2019 is big news. The primary sources are noteworthy.
The UK statement is more detailed and more interesting.
— Thomas Rid (@RidT) February 20, 2020
Russia’s Foreign Ministry denied the allegations, according to Reuters.
The cyberattack that hit Georgia last October mainly targeted web hosting providers within the country, including the firm Pro-Service, which hosts many government-affiliated websites, according to news reports.
In addition to knocking out service to thousands of websites, several sites were defaced with a photo of self-exiled former President Mikheil Saakashvili in front of a Georgian flag and the phrase “I’ll be back,” according to news reports.
“The GRU’s reckless and brazen campaign of cyberattacks against Georgia, a sovereign and independent nation, is totally unacceptable,” Raab says.
Several security experts noted that the size and scope of the Georgia incident was unprecedented. “The scale of this attack is something we haven’t seen before,” Alan Woodward, a professor of computer science at the University of Surrey, told the BBC.
Pinpointing the Attacker
In its statement, the U.S. State Department pinned the attack on a specific division within the GRU called Unit 74455, Sandworm. When the U.S. Justice Department indicted 12 Russian intelligence officers for attempting to interfere in the 2016 U.S. presidential election, court papers noted that several of the hackers and their commanding officers came from Unit 74455 and another division called Unit 26165 (see: 10 Takeaways: Russian Election Interference Indictment).
Another group – referred to as APT28 or Fancy Bear – that’s believe to be affiliated with Russia’s GRU has been blamed for a variety of hacking attacks against European nations over the years (see: Dutch and British Governments Slam Russia for Cyberattacks).
The 2019 cyberattack against Georgia is the first since 2017 to be traced to a specific unit within Russia’s GRU, according to the U.K. National Cyber Security Centre.
Some of the other cyberattacks attributed to the GRU, according to U.K. intelligence, are:
- The so-called BadRabbit ransomware attack of October 2017, which hit the Kiev metro rail in Ukraine, the Odessa airport in Ukraine, the Russia central bank and two Russian media outlets;
- The NotPetya ransomware attacks of June 2017 that targeted Ukrainian financial, energy and government organizations and affected other European and Russian businesses as well;
- The Industroyer attack in December 2016, which shut off part of Ukraine’s electricity grid and caused an hour-long power outage;
- The BlackEnergy attack of December 2015, which shut off parts of Ukraine’s electrical systems for up to six hours.
The action by the U.S. and U.K. to call attention to Russia’s involvement in the cyberattack in Georgia isn’t likely to dissuade Russia from attempting other attacks, says Tom Kellermann, the head security strategist at VMware who formerly served as a White House cybersecurity adviser.
“The public pronouncements will not dissuade them,” Kellermann tells Information Security Media Group. “They have operationalized the Gerasimov Doctrine and will continue to use cyber to undermine Western institutions and democracy at large.”
Russia and Georgia has been at odds with each other since at least 2008, when the two countries engaged in a brief war over the breakaway regions of South Ossetia and Abkhazia. Georgia is a U.S. ally, and since 2011, it has been aspiring to join NATO.
One reason why the cyberattack appears to have used the image of former President Saakashvili is that he founded Georgia’s United National Movement, which espouses close ties with NATO and the European Union and has advocated for South Ossetia and Abkhazia to remain part of the country. Saakashvili served as Georgia’s president for two consecutive terms, from January 2004 to November 2013.
In 2012, the United National Movement suffered a massive defeat at the polls to the Georgian Dream party. Since 2013, Saakashvili has mainly lived in self-imposed exile in Ukraine.
Georgian Dream remains Georgia’s ruling party, although its popularity has fallen in recent months as some of its members have advocated for closer ties to Russia.