On October 28, an unknown cyber attacker brought a significant amount of Internet traffic in the country of Georgia to a standstill for much of the day with a massive web defacement attack. Hackers defaced nearly 15,000 websites and forced nearly 2,000 websites offline for a period of time. According to Pro-Service, the Georgian web hosting provider at the center of the hack, the unknown cyber assailants targeted government sites, as well as the websites of local newspapers and TV stations, banks and courts, even going so far as to deface the website of the president of Georgia. The massive cyber attack, without question, was the largest in the country’s history.
Details of the web defacement attack
Despite the massive scale and scope of the attack, it was not an extraordinarily sophisticated one. As security researchers point out, it was a classic “web defacement” attack, in which the original content on a website is replaced by new content generated by the attacker. In this case, the attackers used an image of former Georgian president Mikheil Saakashvili (now in self-imposed exile in Ukraine), together with an image of the Georgian flag and a simple text phrase: “I’ll be back.”
Given the nature of the content, the obvious conclusion is that the massive web defacement cyber attack was political in nature, carried out by allies, supporters or sympathizers of Saakashvili. To this day, Saakashvili remains an extremely polarizing political figure with controversial views. He fled from Georgia in 2013 and is now facing prosecution on criminal charges if he ever returns to Georgia. At one time, he was viewed as a pro-Western, anti-Russian politician who was attempting to modernize his country and bring it closer into the Western orbit (including membership in NATO). Currently, though, his image has been tainted with corruption allegations and criminal charges, so it’s easy to see why defacing 15,000 websites around Georgia with his image would be so controversial.
To help out with an investigation into the web defacement attack, Pro-Service has enlisted the help of the Georgian Ministry of Internal Affairs (MIA) and other external cyber security researchers. According to the preliminary results of the MIA investigation, the exact identity of the attacker is still unknown. Moreover, even the mechanism used to carry out the attack is unknown. As the MIA noted in a public statement, the web defacement attack could have been “carried out both from inside and outside the country.” One thing is certain, though: the cyber attack style on each website was identical, so the same hacker (or hacker group) appears to be behind the web defacement attack.
Mike Bittner, Associate Director of Digital Security and Operations at The Media Trust, comments on why the hackers went after a relatively unknown web hosting provider: “Malicious and nation state actors often fix their crosshairs on third-party providers because they are known to have poor security measures in place and provide trusted access to the digital assets of many clients. Hacking into these third parties is a frequently used strategy for campaigns with an eye to spreading malware, public discord and disinformation, election interference, personal data theft, and fraud. Carefully vetting digital vendors, enforcing digital policies, and closely monitoring vendor activities can drastically reduce the risk of being hacked. Government organizations in particular should bolster their defenses as they fall prey to a variety of attackers who want access to their audiences and data trove.”
Echoes of the 2008 Russian cyber attack on Georgia
The fact that the Georgian Ministry of Internal Affairs specifically mentioned the possibility of the attack being carried out from “outside the country” is very telling. That’s because the obvious suggestion here is that Russian hackers were somehow responsible for the attack on the computer systems, either directly or indirectly. For the past decade, ever since the 2008 Russian-Georgian war over the breakaway provinces of Abkhazia and South Ossetia, the two nations have been locked in an uneasy, tense diplomatic relationship. In June 2019, for example, tensions once again boiled over, and this web defacement attack might be a response, possibly with the coordination of the Russian government.
Without a doubt, the most recent web defacement attack bears an uncanny resemblance to the web defacement and distributed denial of service (DDos) attacks that took place in 2008, at the time of the Russian-Georgian war. For example, in August 2008, Russian hackers launched a DDos attack on the website of the South Ossetian government. At the same time, the Georgian Ministry of Foreign Affairs was defaced with photo image collages comparing then-president Mikheil Saakashvili to German dictator Adolph Hitler. But it wasn’t just the Russians who took the conflict into the cyber realm. Also, in August 2008, Russian news agency RIA Novosti reported that it was hit by DDoS attacks, presumably from Georgian hackers looking for retaliation.
The 2008 conflict between Russia and Georgia was the first-ever kinetic military conflict that included a limited cyber conflict taking part in cyberspace. It raised the prospect that future conflicts would escalate even further in the cyber realm, to the point where web defacement attacks would be replaced by massive attacks designed to take down the nation’s critical infrastructure, such as the power grid or hospitals.
Implications for Western governments
It might be easy to dismiss the web defacement attack in Georgia as a regional attack with implications only for Russia and other nations of the post-Soviet Union. However, the reality is that the web defacement attack targeting the Georgian government is really a foreshadowing or preview of what might happen in Western nations, especially around the time of important elections. In 2016, for example, Russian hackers allegedly conducted massive misinformation and disinformation campaigns within the United States, all with the goal of sowing confusion and disarray. What might happen in 2020, then?
Surely, if Russian hackers were behind the current Georgian web defacement attack, they might also try to launch similar attacks in the United States before the next presidential election in 2020? Imagine what might happen if U.S. citizens try to check out national election results, and all they see on government websites is an image of Joseph Stalin (or some other Russian political leader)? At the very least, such a web defacement attack would undermine the democratic process and cause many Americans to lose confidence in the current political system. Thus, it’s possible to view Georgian-style web defacement attacks as a form of psychological pressure, designed to create a sense of fear, confusion and distrust.
Growing sophistication of cyber attacks
Going forward, governments around the world have a lot more to worry about than just web defacement attacks that disrupt websites for a few hours at a time. There are also ransomware attacks, DDoS attacks, data breaches, botnet attacks, and cyber-espionage attacks. With that in mind, the Georgian web defacement attack should be a clear wakeup call to government leaders that they should be taking immediate steps to bolster their nation’s cyber security defenses.