Pierluigi Paganini February 20, 2020

Britain and the United governments blame Russia for being behind a destructive cyber attack that hit Georgia during 2019.

The governments of Britain and the US declared that Russia’s military intelligence service GRU is behind the massive cyber attack that hit Georgia during 2019.

In October 2019, a wave of cyber attacks hit 2,000 websites in Georgia, including the sites of the president, courts, and local media.

“The UK, Georgia and international partners have exposed the GRU’s – Russia’s military intelligence service – responsibility for a number of significant cyber-attacks against Georgia last year.” reads a press release published by Foreign & Commonwealth Office, National Cyber Security Centre, and The Rt Hon Dominic Raab MP.

“The National Cyber Security Centre (NCSC) assesses with the highest level of probability that on 28 October 2019 the GRU carried out large-scale, disruptive cyber-attacks. These were against a range of Georgian web hosting providers and resulted in websites being defaced, including sites belonging to the Georgian Government, courts, non-government organisations (NGOs), media and businesses, and also interrupted the service of several national broadcasters.”

According to the statement, the cyber-attacks are part of Russia’s long-running campaign aimed at destabilising activity against Georgia. 

The government officials attribute the attack to the nation-state actor tracked as Sandworm, BlackEnergy, Telebots, and VoodooBear.

The group operated under the control of the GRU’s Main Centre of Special Technologies (aka ‘GTsST’ or field post number 74455).

That field post number 74455 is the same for the APT28 group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM).

The APT28 group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

According to a report published by Symantec in October 2018, the group was actively conducting cyber espionage campaigns against government and military organizations in Europe and South America.

Starting in 2017 and continuing into 2018, the APT28 group returned to covert intelligence gathering operations in Europe and South America.

The UK intelligence confirmed that the attacks also caused the interruption of the transmissions of Georgian TV stations.

“The GRU’s reckless and brazen campaign of cyber-attacks against Georgia, a sovereign and independent nation, is totally unacceptable. The Russian government has a clear choice: continue this aggressive pattern of behaviour against other countries, or become a responsible partner which respects international law.” said the Foreign Secretary Dominic Raab.

“The UK will continue to expose those who conduct reckless cyber-attacks and work with our allies to counter the GRU’s menacing behaviour.”

The GRU unit involved in the attack was also considered responsible for the following cyber attacks:

• BlackEnergy: December 2015 shut off part of Ukraine’s electricity grid, with 230,000 people losing power for between 1 to 6 hours
• Industroyer: December 2016 shut off part of Ukraine’s electricity grid, also known as CrashOverride. It resulted in a fifth of Kyiv losing power for an hour. It is the first known malware designed specifically to disrupt electricity grids
• NotPetya: June 2017 destructive cyber-attack targeting the Ukrainian financial, energy and government sectors and affecting other European and Russian businesses
• BadRabbit: October 2017 ransomware encrypted hard drives and rendered IT inoperable. This caused disruption including to the Kyiv metro, Odessa airport, Russia’s central bank and 2 Russian media outlets

The UK Government consider Georgia is a strategic partner, it supports several projects in Georgia.

“This action contradicts Russia’s attempts to claim it is a responsible actor in cyberspace and demonstrates a continuing pattern of reckless Russian GRU cyber operations against a number of countries. These operations aim to sow division, create insecurity, and undermine democratic institutions.” foreign secretary Michael Pompeo said.

Pierluigi Paganini

(SecurityAffairs – GRU, APT28)

[adrotate banner=”5″]

[adrotate banner=”13″]