Bloomberg: In 2017-2020, Russia’s Spies Hacked the Entire Nation of Georgia

As per documents and technical reports reviewed by journalists, Russian intelligence penetrated Georgia's Ministries of Foreign Affairs and Finance, the National Bank, and major energy and telecommunications providers. As the publication notes, between 2017 and 2020, Russian intelligence gained access to Georgian energy companies, oil terminals, media platforms, and government agencies.

"The breadth and severity of attacks outlined in the documents are previously unreported. They show how far Kremlin influence extended in the Caucasus state of nearly four million people at the same time as Georgia was attempting to escape Moscow’s orbit by pursuing European Union and NATO membership," Bloomberg wrote.

The article highlights that a years-long spying campaign, leading up to the 2020 parliamentary elections, enabled Russia to eavesdrop on a country it seeks to control. Based on documents reviewed by Bloomberg and European government officials, the campaign also allowed Moscow to interfere with Georgia's critical infrastructure, including energy and communication networks, in case the Tbilisi government strayed in an undesirable direction. The sources, who provided this information, requested anonymity.

According to Bloomberg, the GRU (Russia's main intelligence division) hacked Georgia's Central Election Commission, allegedly gaining access to several email accounts, as well as media organizations such as Imedi and Maestro. For more than two years, the GRU had access to multiple IT systems of the Georgian Railway Company, as reported in documents seen by Bloomberg.

The publication also reports that one document shows hackers associated with the Federal Security Service (FSB) carried out a months-long covert operation within Georgia's Ministry of Foreign Affairs. This operation targeted the emails of high-ranking officials and accessed data stored by Georgian embassies worldwide.

Despite Bloomberg's requests, both the GRU and the FSB declined to comment.

The Central Election Commission of Georgia did not address specific claims but stated that its computer servers were targeted by a DDoS attack on April 5, 2021, which "had no impact" on its systems.

Georgia's Ministry of Foreign Affairs told Bloomberg that it is not authorized to assess or characterize certain events until appropriate expert evaluations are conducted. Meanwhile, the Public Relations Service of the Ministry of Finance said that investigating cybercrime is not within its competence. Representatives of Imedi and Georgian Railways declined to comment on the issue. Khatuna Khvedelidze, the spokesperson for Maestro TV, confirmed an incident in 2019 but could not say whether it was a hacking attack.

Bloomberg further reports that at the end of 2019 and early 2020, Russian hackers were monitoring the emails of employees at Telasi, the Tbilisi electricity distribution company, and watching them through internal cameras as they worked.

"Other hackers targeted a different, state-owned, energy grid company, gaining the ability to turn off electrical substations and cut power in some Georgian regions had they decided to, the documents show. The GRU was behind the attacks, according to one of the documents. The state-owned energy firm was infiltrated using malicious software named GreyEnergy," the article states.

According to Valeri Pantsulaia, the company's spokesperson, no hacking attacks were carried out on Telasi during the specified periods, nor was there any information leakage or violation of corporate data integrity.

One of the documents seen by Bloomberg indicates that Russia's intelligence agency also tested other critical infrastructure vulnerabilities and found one within the Batumi oil terminal network. Located on the coast of the Black Sea, the terminal transports oil and petroleum products from Georgia, as well as neighboring Azerbaijan, Kazakhstan, and Central Asian Turkmenistan. According to the article, as of October 2019, several systems at the Batumi oil terminal, including smart cameras, were compromised. Terminal officials did not comment despite being approached.

Bloomberg reports that in 2019-2020, cybercriminals hacked numerous email accounts of the National Bank of Georgia, allowing them to access confidential correspondence. The central bank declined to comment on specific allegations, stating that information regarding cyberattacks and control mechanisms is confidential. However, in its statement, the bank emphasized that it uses "modern systems for the security of its information assets."

Hackers also compromised the telecommunications operator Skytel, allegedly penetrating administrator systems, network routers, and other critical infrastructure. According to Bloomberg, the attackers may have gained the ability to disable the provider's entire telecommunications network, as well as those of sub-providers within Skytel’s network. Skytel officials did not comment when contacted.

According to Bloomberg, the foreign ministry espionage operation was carried out by a hacking group known as Turla, which U.S. officials say is linked to an FSB unit called Center 16, operating out of a facility in Ryazan, about 130 miles southeast of Moscow.

"From April 2020 to January 2021, according to a report of network logs, the hackers focused on pilfering data from seven Georgian officials, including a current deputy foreign minister and its ambassadors to the US and the EU. They also appeared repeatedly to target computers linked to specific Georgian consulates or embassies, including those in Cyprus, the Baltic countries, Russia, South Korea, Azerbaijan and Canada. Turla members carried out their snooping strictly during office hours from Monday to Friday. During a single month from November to December 2020, Turla broke into the Foreign Ministry’s network and stole data 114 times, harvesting about 2.1 gigabytes in total," Bloomberg wrote.