Georgia cyberattack has hallmarks of nation-state attack

Article by Robert Scammell – Verdict

The Georgia cyberattack that took more than 2,000 websites and a national TV station offline has the hallmarks of a nation-state attack, according to cybersecurity experts.

Targets of the cyberattack, which took place yesterday, include government agencies, local newspapers, banks and TV stations.

More than 15,000 websites in the country are said to be affected, including court websites containing case materials. Critical infrastructure seems to be unaffected.

An image of former Georgian President Mikheil Saakashvili accompanied by the caption “I’ll be back” appeared on many website homepages caught up in the attack, the BBC reports. Saakashvili is wanted in Georgia to face criminal charges, which he says are politically motivated. He is currently in exile in Ukraine.

Attribution of cyberattacks is notoriously difficult, with the perpetrators of most incidents going unnamed – at least officially.

But the scope, scale and complexity of the Georgia cyberattack indicate another country is likely to be behind it.

Professor Alan Woodward, cybersecurity expert at Surrey University, tweeted that the Georgia cyberattack “took some serious resources to orchestrate and sent a very scary message”.

He told the BBC that “with the scale and the nature of the targets, it’s difficult not to conclude that this was a state-sponsored attack”.

“No point looking far from Moscow for a culprit”

Malcolm Taylor, head of cybersecurity at cyber consultancy firm ITC Secure said we should be asking who stands to gain from the Georgia cyberattack.

“The victim of the attack may have been Mikheil Saakashvilli himself; pro-western, pro-Odesa, exiled from Ukraine and certainly no friend of Moscow, he is now pictured globally in a faintly ridiculous pose riffing on the Terminator – not a good look for a politician,” the former British intelligence officer told Verdict.

“He also may get the actual blame; surely some Georgians will believe him responsible. He can’t gain from this. So yes, I think a state attack looks very likely – this looks like a political act. In 2008 Moscow admitted that individuals in Russia had undertaken cyberattacks against Georgia (fortuitously for Moscow just as the two countries went to actual war).

He added: “Georgia has local significance only, in a geopolitical sense. We know the GRU and FSB have active cyber units. We know Russia doesn’t forget or forgive easily. I therefore see no point looking far from Moscow for a culprit.”

Jonathan Knudsen, senior security strategist at cybersecurity firm Synopsys, said: “The cyberattacks in Georgia demonstrate once again the shaky infrastructure upon which so much of our world is built. We use software to do business, to run government, and to communicate.

“Software is critical infrastructure, but the functionality we’ve assembled has far outpaced our ability to make it secure and resilient.

“Such a coordinated, widespread attack almost certainly is the work of another nation state, and is likely intended to promote the attacker’s geopolitical agenda.”

Georgia cyberattack: The common thread

Georgia’s Ministry of Internal Affairs has launched an investigation into the cyberattack.

The common thread for the affected websites appears to be that they were hosted on web hosting provider ProService, ZDNet reports.

Forbes reports that ProService posted the following message on its homepage, which has since been taken down:

“As of October 28, 8:00 pm, more than 50% of web pages hosted by company-owned servers have been restored. The company is actively working to eliminate the problem. The process will continue all night long and web pages will be restored by the end of tomorrow. ProService expresses its deepest condolences to the owners of all its dedicated web servers and thanks everyone for their support and assistance during these difficult times.”