Cyberattack on Georgian Websites Explained
On Monday, October 28, several thousand websites in Georgia, including the sites for various government agencies, banks, courts, local newspapers, and TV stations were defaced and inaccessible as a result of a cyberattack. The President’s official website displayed an image of former Georgian President Mikheil Saakashvili, with the text "I'll be back" overlaid on top.
The websites defacing happened after hackers breached Pro-Service, a local web hosting provider and took down the affected websites.
“As we can see, this was not a coordinated massive attack on many targets but a breach of one web hosting provider infrastructure. This is one more example of a supply-chain attack,” – says Roman Sologub, Chief Executive Officer, ISSP. – “IT-service providers are always very attractive targets for cyberattacks. If we recall NotPetya, that attack was also incepted with the breach of the infrastructure of a software developer, whose product was used by hundreds of thousands of other companies.”
“It is important to understand that any attack consists of many stages including intrusion, exploration and capture of infrastructure that can last from weeks to months. The last stage is the culmination of an attack,” – says Maia Goguadze, Chief Operations Officer, ISSP Georgia. – “If website defacing in this case was the ultimate goal of the attackers, if this was the attack culmination, then we should not overestimate its significance. The most important thing to do now is for the web hosting provider to conduct its infrastructure compromise assessment, see the whole and detailed picture of compromised assets and verify if intruders remain inside the network. This will help identify the existing vulnerabilities in the cybersecurity system, fix them and get rid of the adversaries.
Aleksey Yasinskiy, Head of ISSP Labs & Research Center and an experienced cyberattacks investigator explains that the nature of cyberattacks has changed and today it is much easier for adversaries to breach a poorly protected contractor or supplier, use their accounts to get access to other organizations and “legitimately” penetrate their infrastructures.
“Every company, no matter how big or small it is or what industry it works in should ask itself: how attractive are we for cyber criminals as an intermediate link in attacks on other companies?” – explains Aleksey Yasinskiy. – “While big business can implement the latest advances in information security, small and medium size companies cannot afford to invest in SIEM, DLP, endpoint protection and other solutions and thus remain easy targets for attackers. When hackers attack companies through the infrastructure of IT-solutions suppliers and contractors, they lower the level of “noise” during the penetration and make all the protection measures irrelevant.”