Georgia Web Attack: Overview of The Attack

You may be aware of the massive cyber-attack that hit the country of Georgia on October 28, 2019, defacing and taking several websites and web-based services offline. This is one of the largest attacks that the country has faced since the Russo-Georgian war in 2008. The scale and nature of these attacks highlight the wide gaps in and the lax attitude towards cybersecurity, especially in government and public networks, and stress upon the need for proactive, comprehensive, and intelligent security measures.

In this article, we will explore the facets of the attack, its causes, and the lessons that we need to learn from such attacks.

An Overview of The Attack

This coordinated attack hit a massive 15,000 websites in Georgia wherein the websites were hacked into and defaced, and eventually, 2000 were forced completely offline. Through the defacement, the attackers replaced the home pages of the target websites with a photograph of former President, Mikheil Saakashvili, stating, “I’ll be back”. The former President is on a self-imposed exile in Ukraine after he was accused of multiple criminal charges including abuse of power. His supporters, however, believe that these are false charges and that it was a witch hunt against the pro-Western reformist leader.

It is unclear to the affected and involved parties about who the attackers are, and what their actual motives could be. The speculation is rife that there could also be Russian involvement in the attacks as the modus operandi and style is similar to the 2008 web attacks (during the Russo-Georgian war) by Russian attackers that targeted several Georgian websites and took them down.

The Targets

The targeting of the defacement appears to be random with a diverse range of targets. The multiple targets of these unprecedented cyber-attacks range from Government and its agencies, media, banks, courts, local newspapers, businesses – big and small, TV stations including the national television, NGOs, Georgian President Salome Zurabishvili’s website, and even personal web pages.

The magnitude of the impact varied vastly, with some websites being hit harder than others. For instance, three of the major broadcasters in Georgia were hit by the attack – TV Imedi, TV Maestro and TV Pirveli. However, the impact varied greatly. While TV Imedi and TV Maestro went off-air following the attacks, TV Pirveli did not. Additionally, TV Maestro’s computers were destroyed owing to the attacks.

What Caused the Attack?

One of the major targets of the attack was a server that belongs to the web hosting service provider, Pro service, which hosts websites of hundreds of Government agencies, businesses, media organizations, non-profits, etc. The company has taken the blame for the attacks admitting that the attackers breached their network to take down their subscribers’ websites. The company has not divulged details of the root causes of the attacks as of now and is engaged in restoring the websites that were taken down.

Lessons to Learn from Georgia “I’ll Be Back” Attack”

1. Your web security is as good as the security posture of your third-party service providers

Even though the Pro service, the web hosting service provider whose servers were leveraged to orchestrate the attacks, has not divulged technical details on its vulnerabilities exploited by the attackers, the attacks highlight the need for service providers as well as subscribers to be concerned about the strength of the security measures taken by the service provider. While organizations may be focusing on fortifying their own website security, they do not realize that their websites could be hacked even if their third-party service providers have weak security measures

2. Governments and all organizations need to take cybersecurity seriously

Considering Georgia has seen similar attacks on Government and public agency websites, it shows startling gaps in the preparedness of the subsequent governments and a lax attitude towards cybersecurity. Security experts believe that the signature, “I’ll be back” is ominous and that these attacks will not be the last if Georgia does not make critical changes to its cybersecurity protocols and the government agencies and the other targets of the attacks do not take cybersecurity seriously.

In today’s highly connected world, hacktivism and website defacements are becoming easy tools for nation-states to promote their geopolitical agendas to rival nation-states, especially since many Governments are not taking cybersecurity seriously.

What Can Be Done Better?

Regardless of the size or wealth of the nation, it is essential for them to invest time, resources, and efforts in strengthening the nation’s cybersecurity protocols, securing all Government and allied agencies’ servers, move away from legacy IT systems and consistently maintain high standards of web security.

There is a definite need to understand the risk posture of all the applications, without knowing the risk posture it is impossible to prevent such attacks in the future.  Risk posture can be found using automated scanners that try to find vulnerabilities in the applications by mimicking attack behaviors and through manual pen-testing, where ethical hacking is done to find vulnerabilities. This is the first basic step in the direction of protecting these sites.

Once the risk posture is identified, a concrete plan has to be put in place where the vulnerabilities found are addressed in a time-bound manner. There is also a need for creating a defense for applications from further attacks by using a WAF. WAF helps protect known attacks as well as virtually patch vulnerabilities that are found in the application.

Indusface’s AppTrana is one such complete solution that organizations can consider, which provides all three aspects of application security, risk detection, risk protection, and continuous monitoring. Get started with a free trial here.

Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.