Cyber-espionage botnet tied to country of Georgia website remains a mystery

A security firm in Slovakia is asserting that a website operated by the country of Georgia has been used as part of a botnet to conduct cyber-espionage against that country’s residents.

But does that mean Georgia is conducting the cyber-espionage, or that its website run by the Georgia government is compromised by enemies of the country? Because the botnet’s command-and-control operations lack some elements of stealth that might be expected, the Slovakian security firm that spotted it — ESET — reports it may simply be “a group of cyber criminals trying to find sensitive information in order to sell it to other organizations.”

MORE SECURITY NEWS: Most fraud against business from bad checks, not electronic payments

Win32/Georbot has a command-and-control structure that has exploited the website of the Georgian government for some time to drive some controls, says ESET researcher Righard Zwienenberg. When ESET detected evidence of Georbot as malware in January, it contacted the Georgian CERT. As it turns out, the Data Exchange Agency of the Ministry of Justice of Georgia and its national CERT were fully aware of the situation as early as 2011 and have been monitoring Georbot, now in cooperation with ESET.

Georbot is primarily a cyber-espionage botnet that has infected only about 200 computers that appear to be mainly in the country of Georgia, though about 30% of them are in the U.S., Germany and Russia. It’s not clear who these individuals are, Zwienenberg says, but Georbot is “looking on their hard drives for documents,” and can also capture audio and video when the computer’s webcam and microphone are in use.

Georbot is also remotely controlled to steal documents and certificates, and look for certain words in documents, among them “ministry,” “service,” “secret,” “top,” “agent,” “army,” “USA,” “Russia,” “Georgia,” “major,” “Colonel,” “FBI,” “CIA,” “phone number,” “east,” “program,” “KGB,” “FSB” and other political and personal information.

Based on ESET’s analysis, Georbot does have features to hide itself. But it’s not especially sophisticated since it has left some information unencrypted, lending doubt to whether a capable government spy operation from any country would be operating this. ESET got a look at the control panel for it to analyze what it was doing.

“The most likely hypothesis is that Win32/Georbot was created by a group of criminals trying to find sensitive information in order to sell it to other organizations,” ESET’s report on this concludes. “They might be operating from Georgia or any country nearby and have been ‘lucky’ enough to gain control of a government website and are now using it as part of their operation.”

The development of the Georbot malware seems to be ongoing, with fresh variants discovered as recently as March 19, says ESET.

Zwienenberg acknowledges he doesn’t know why the government of Georgia has allowed it to operate so long, and says there’s only so much the Georgian CERT or anyone else that ESET has contacted in Georgia will say about it. “It’s possible someone from the Georgian government was running it,” he says, adding that is pure speculation on his part. But Georbot has so far shown to be very targeted against a fairly small number of individuals associated with the country of Georgia.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Read more about wide area network in Network World’s Wide Area Network section.