The US Blames Russia’s GRU for Sweeping Cyberattacks in Georgia
Credit to Author: Andy Greenberg| Date: Thu, 20 Feb 2020 13:10:00 +0000
By calling out Russia for digital assaults on its neighboring country, the US hopes to head off similar efforts at home.
For more than a decade, Russian hackers have tormented the country's neighbors, bombarding Estonian websites with junk traffic and even triggering blackouts in Ukraine. As long as Russia has kept those relentless, disruptive cyberattacks within its own region, the West has mostly turned a blind eye. But as the US seeks to head off any digital meddling in its own upcoming election, the State Department is trying something different: Calling out Russia for a broad-scale act of digital sabotage that hit the country of Georgia last fall.
State Department officials today issued a statement blaming the Russian military intelligence agency known as the GRU for cyberattacks that hit Georgia in October. The onslaught took down or defaced thousands of websites, and even disrupted the broadcasts of two television stations. Specifically, administration officials tell WIRED that US and allied intelligence agencies have attributed the assault to the GRU's Main Center for Special Technology, or GTsST, which the State Department also explicitly linked for the first time in its statement to the notorious Russian hacker group known as Sandworm. The US had previously tied that same group to the destructive NotPetya worm that spread from Ukraine in 2017, causing $10 billion in damage, and the Olympic Destroyer malware that sabotaged the 2018 Winter Olympics in Pyeongchang. The statement will echo findings released by Georgia's own security services today, and US officials say they expect confirmations from multiple other governments to follow.
"It's important to draw a line in the sand and say, no, this is not OK. It's not OK in the West, and it's not OK in the near abroad," said a senior administration official who spoke to WIRED under condition of anonymity because he wasn't authorized to speak on the record. That phrase, "near abroad," is an English translation of a term commonly used by Russians to refer to post-Soviet states on its borders. "This just continues the pattern of fairly reckless GRU cyberoperations that, from our understanding, are intended to sow division, create insecurity, and undermine democratic institutions. Failing to call out such activity when it's observed and attributed risks creating a norm of inaction, a systemic risk of not acknowledging to the world that these types of behaviors are unacceptable."
"They might be trying this out, seeing where it needs improvement before they do it elsewhere, in Europe or in the United States."
Khatuna Mshvidobadze, Georgian Foundation for Strategic and International Studies
The cyberattack that hit Georgia on October 28 appears to have focused largely on hosting providers Pro-Service and Serv.ge. Pro-Service wrote in a statement following the attack that 15,000 customers were affected. "One of the largest cyberattacks on the cyberspace of Georgia [began] at dawn," the company posted on its web on the day the hack took place.
"It hit everybody: critical media, government authorities, private websites," says Nana Aburdjanidze, executive director of the Georgian news channel TV Pirveli. "It was massive."
On many of the affected websites, the hackers used their access to Pro-Service's systems to post an image of former Georgian president Mikheil Saakashvili—who was indicted in absentia on charges of corruption after leaving the country in 2013—along with the words "I'll be back" written across a Georgian flag. "We couldn’t take it down or do anything," says Aburdjanidze. "It was crazy and annoying. It wasn't a pleasant feeling, for sure."
In what appears to have been a separate attack on the same day, the hackers also disrupted the broadcasts of two television channels, Imedi and Maestro. "The network is paralyzed, we can't get any signal, we can't go on air, we can't use our editing computers," wrote Irakli Chikhladze, Imedi's head of news, in a Georgian-language Facebook post that day. "Working to get back on the air soon!"
Georgia has a long history of conflict with Russia, both physical and digital. In 2008, Russia invaded the country with the supposed intention of protecting Russian-speaking minorities, seizing around 20 percent of Georgia's territory, which it still controls. That physical incursion was accompanied by a wave of relatively crude cyberattacks that defaced and took down Georgian websites, the first clear example in history of a "hybrid" war involving physical and digital attacks in combination. (While the Russian government was never proven to be behind those cyberattacks, one website that helped to coordinate them, StopGeorgia.ru, was hosted at an IP address that belonged to a company headquartered next to a GRU-connected military research institute.)
It's not clear, though, what the GRU might have intended to accomplish with its more recent web defacements and TV broadcast disruptions, aside from simply creating chaos. Former president Saakashvili was no favorite of Russia's, and served as president during Georgia's brief 2008 war with its neighbor. And the hosting provider attacks were hardly discriminating in their victims, hitting Georgian government sites, pro-government media, and opposition media alike.
US officials declined to share with WIRED any of the evidence behind its conclusion that the GRU was responsible for the attack, or the tools and techniques the hackers used. "We don't have any technical assessment that it was Russia, but it’s certainly in their neighborhood and something they would be engaged in from an information operations perspective," says Adam Meyers, vice president of intelligence of security firm Crowdstrike. "It's in line with Russian tactics. The specific outcome is less important than causing upheaval and conflict between different groups in the country."
The attacks took place amid a wave of protests against the current Georgian parliament, points out Khatuna Mshvidobadze, a cybersecurity-focused fellow at the Georgian Foundation for Strategic and International Studies and a lecturer at George Washington University. The Saakashvili defacements may have been intended to further inflame tensions, making the cyberattacks appear to be the work of pro-Western hacktivists. "Russia is well known for using false flag operations. It’s one of their signatures," she says. "Russia doesn’t want a successful democratic country in their backyard."
Mshvidobadze also suggests that, as it has in Ukraine, Russia may be using Georgia as a test lab for new innovations in cyberwar, from election hacking to power grid attacks to data-destroying malware. "They might be trying this out, seeing where it needs improvement before they do it elsewhere, in Europe or in the United States," she says.
Both the Obama and Trump administrations allowed the Ukraine attacks to escalate with impunity for years, despite warnings that those might soon spread to the rest of the world. The Trump administration only acted after the GRU's NotPetya worm spread from Ukraine to devastate Western victims including Maersk, Merck, and FedEx. Eight months after that attack the White House, along with the UK, Australia, New Zealand, and Canada named the Russian military as the source of the attack. The Trump administration later imposed new sanctions on Russia as a result.
US officials wouldn't say if the administration plans to take any other measures in response to the Georgian cyberattacks such as indictments or sanctions. But this time it does seem the administration is trying to send a disciplinary message to Russia far more quickly than it did in Ukraine, before similar tactics can be used to disrupt the Georgian election later this year—or the US one.
Since Russia's campaign of interference in the 2016 election—from hacking the Democratic National Committee to disinformation-spewing troll farms—US intelligence agencies have repeatedly warned that the Kremlin's efforts to meddle in US politics continue, and will likely surface again in 2020. Some evidence suggests that Russian hackers may have targeted the Ukrainian oil firm Burisma, seeking private information that could be leaked to hurt the political campaign of Joe Biden, whose son Hunter Biden served on the Burisma board. The DHS has gone so far as to prepare for the possibility of data-destroying cyberattacks timed to disrupt the election. And US Cyber Command reportedly carried out a campaign of sending messages directly to Russian operatives and destroying servers used by the disinformation-spreading Internet Research Agency based in St. Petersburg.
Publicly attributing the cyberattacks in Georgia to Russia represents another approach to deterring the Kremlin's brazen multi-year hacking campaign. "This is interference in the domestic sphere of another country in the midst of an election cycle," an administration official told WIRED of the Georgia attacks. "Failing to push back now invites more significant measures over the coming year, something perhaps more akin to the blackouts in Ukraine, for example."
Better to call out the GRU for Georgian web defacements now, in other words, than to wait until the agency attempts something far more serious—or far closer to home.