How Russia’s Spies Hacked the Entire Nation of Georgia
(Bloomberg) -- Russian spies were watching Georgia’s government and major companies in a comprehensive espionage and hacking campaign over years, scooping up information and gaining powers to potentially sabotage critical infrastructure.
Most Read from Bloomberg
How Kyiv Became a Leader in Digital Services Amid Wartime Strain
Dhaka's Revolutionary Makeover Pits Visions of Peace Against Vengeance
Drug Decriminalization Spawns a Political Debacle for Progressives
The Foreign Ministry, Finance Ministry, central bank and key energy and telecommunications providers were penetrated, according to documents and technical reports seen by Bloomberg News. Russian intelligence accessed Georgian electricity companies, oil terminals, media platforms and government departments between 2017 and 2020.
A vital gateway for energy and trade routes linking Europe and Asia, Georgia has been central to the East-West geopolitical struggle for at least two decades. Just how central is now more clear before the country holds elections on Saturday.
The breadth and severity of attacks outlined in the documents are previously unreported. They show how far Kremlin influence extended in the Caucasus state of nearly four million people at the same time as Georgia was attempting to escape Moscow’s orbit by pursuing European Union and NATO membership.
After the pro-Western Rose Revolution in 2003, the animosity intensified when Georgia and Russia fought a brief war in August 2008. It has gained new impetus since Russian President Vladimir Putin’s full-scale invasion of Ukraine in 2022 triggered the worst confrontation with the West since the Cold War.
Georgia faces crucial parliamentary elections that may decide whether it continues efforts to integrate with the West or pivots back toward Moscow. The contest is pitching the ruling Georgian Dream party of billionaire Bidzina Ivanishvili against opponents who say the nation is turning its back on US and European allies to side with Putin’s regime.
The hacking operations make clear that “Russia has been targeting and infiltrating Georgia for many years,” said Natia Seskuria, executive director at the Regional Institute for Security Studies, a think tank in the capital, Tbilisi. “This is extremely concerning and it’s particularly important in light of the upcoming elections.”
Claims of Russian hacking in an attempt to influence electoral outcomes hit the mainstream after the country was accused of meddling in the US election in 2016. The US also attributed attacks that hit dozens of websites and major media channels in Georgia five years ago to Russia’s GRU military intelligence service.
Listen to the Here’s Why podcast on Apple , Spotify or anywhere you listen .
Nowhere is that political hazard more evident than in Eastern Europe, from the Baltic states down to the Oct. 20 presidential election and referendum on future EU membership in Moldova, where the US accused Russia of dedicating millions of dollars to undermine the votes.
Russian Foreign Ministry spokeswoman Maria Zakharova accused the US and its allies of attempting "to heat up the situation near Russian borders” in a statement in August marking the 16th anniversary of the war with Georgia. “In their desire to annoy Russia, Westerners ignore the interests of the states in the region, jeopardizing their safe and decent existence,” she said.
The US and the EU labeled a recent Georgian government crackdown targeting civil society groups as “Kremlin-inspired” and have accused Russia of targeting the country with cyberattacks before. The government sparked mass protests in May by reviving a “foreign agent” law it said was designed to monitor outside influence on non-governmental organizations and the media.
Brussels responded by halting EU membership negotiations with Georgia, while Washington imposed visa restrictions on more than 60 Georgians for “undermining democracy.”
Georgia has refused to support sanctions against Russia and has become a conduit for imports aimed at evading the restrictions. Ivanishvili hit out at the West in April, saying a “global war party” was attempting to use NGOs to oust his government and push Georgia into a conflict with Russia.
The spying campaign that ran for years before the 2020 elections allowed Russia to eavesdrop on a nation it wants to control. Some hackers kept regular Moscow office hours to monitor their targets in real time, despite trying to mask their presence.
It also gave Moscow the capability to tamper with Georgia’s vital infrastructure services should it have chosen to, including power and communications networks, if the government in Tbilisi drifted in directions that were unwelcome, according to the documents reviewed by Bloomberg and European government officials familiar with the matter. They asked not to be identified discussing confidential issues.
The GRU hacked Georgia’s Central Election Commission, likely gaining access to some email accounts, and several media organizations including Imedi and Maestro, two of the most popular TV channels. It also gained access to multiple IT systems at Georgia’s national railway company for more than two years, according to the documents.
Hackers linked to the Federal Security Service, or FSB, carried out a months-long covert operation at Georgia’s Foreign Ministry to spy on top officials’ emails and scoop up data held by Georgian embassies around the world, one of the documents shows.
The GRU and the FSB didn’t respond to requests to comment.
Georgia’s Central Election Commission didn’t comment on the specific claims, though it said its computer servers were targeted by a so-called Distributed Denial of Service attack on April 5, 2021 that had “no impact” on its systems.
The Foreign Ministry in Tbilisi “isn’t in a position to assess or qualify certain events until relevant expert evaluations” are carried out, spokesperson Anna Shiolashvili said. The Finance Ministry’s public relations service said investigation of cybercrime doesn’t fall within the ministry’s jurisdiction.
Officials at Imedi and Georgian Railway didn’t respond to requests to comment. Maestro TV spokeswoman Khathuna Khvedelidze said an incident occurred in 2019 though she was unable to say whether it was a hacking attack.
Georgian authorities were informed by western counterparts about some Russian hacking attacks. But it’s unclear if they took any action, the European government officials said.
Russia has carried out operations similar in scope more recently, the people said, declining to provide details that could jeopardize active investigations. Company names in some of the documents are redacted and the officials declined to disclose those Russian targets out of concern that it could reveal methods.
The election now poses another risk, according to Giorgi Shaishmelashvili, a former Georgian Defense Ministry official. “Georgia still does not have a comprehensive understanding of the threats,” he said.
Russia may be able to conduct cyber-attacks on critical infrastructure if the parliamentary election leads to a change of government that it considers unacceptable, said Shaishmelashvili, who’s now head of research at Civic IDEA, an NGO in Tbilisi.
By late 2019 and early into the following year, Russian hackers were reading emails of employees at Telasi, the electricity distribution company in Tbilisi, and watching them through internal cameras as they worked. Other hackers targeted a different, state-owned, energy grid company, gaining the ability to turn off electrical substations and cut power in some Georgian regions had they decided to, the documents show.
The GRU was behind the attacks, according to one of the documents. The state-owned energy firm was infiltrated using malicious software named GreyEnergy.
There were no hacking attacks on Telasi during the specified periods, and no information leaks or breaches of corporate data integrity, company spokesman Valeri Phantsulaia said.
The Russian intelligence agency also probed for vulnerabilities in other critical infrastructure, finding some in the network of the Batumi Oil Terminal, according to one document. By October 2019, multiple systems including smart cameras were compromised.
Officials at Batumi Oil Terminal didn’t respond to a request to comment. The terminal on the Black Sea coast ships crude and oil products from Georgia as well as neighboring Azerbaijan and Kazakhstan and Turkmenistan in central Asia.
At least two other unidentified refineries as well as several other companies and government entities were also targeted by the GRU, at times using X-Agent malware, which has been previously tied to the intelligence agency, according to the European officials.
Cyber-intruders, meanwhile, hacked a large number of email accounts at the National Bank of Georgia around 2019-2020, allowing them to read confidential correspondence.
The central bank declined to comment on the specific claims, saying information about cyberattacks and control mechanisms was confidential. The bank said in a statement that it uses "modern systems for the security of its information assets."
Hackers also compromised telecommunications operator Skytel, where they likely gained access to administrator systems, network routers and other critical systems. The intruders were “possibly” in a position to shut down all the provider’s telecommunications as well as sub-providers on Skytel’s network, one of the documents said.
Officials at Skytel didn’t respond to a request to comment.
The surveillance operation at the Foreign Ministry was conducted by a hacking group known as Turla that US officials have previously said is attached to an FSB unit called Center 16. It works from a facility in Ryazan, about 130 miles southeast of Moscow. Active since around 2004, Turla has gained notoriety for sophisticated attacks in dozens of countries.
From April 2020 to January 2021, according to a report of network logs, the hackers focused on pilfering data from seven Georgian officials, including a current deputy foreign minister and its ambassadors to the US and the EU.
They also appeared repeatedly to target computers linked to specific Georgian consulates or embassies, including those in Cyprus, the Baltic countries, Russia, South Korea, Azerbaijan and Canada. Turla members carried out their snooping strictly during office hours from Monday to Friday.
During a single month from November to December 2020, Turla broke into the Foreign Ministry’s network and stole data 114 times, harvesting about 2.1 gigabytes in total.
In May 2023, the Justice Department and the FBI said they had dealt a major blow to Turla by uncovering and dismantling a network of computers the group was using in the US and other countries to launder stolen data.
Russia’s main interest “is to weaken Georgia’s pro-Western foreign policy,” said Seskuria, of the security studies institute. “And we have seen that these relationships have never been worse.”
--With assistance from Helena Bedwell.
(Updates with detail on Turla group in the second-last paragraph. An earlier version of this story corrected the year of the Rose Revolution in the fifth paragraph.)
Most Read from Bloomberg Businessweek
©2024 Bloomberg L.P.