The malicious software was programmed to search for specific keywords -- such as USA, Russia, NATO and CIA -- in Microsoft Word documents and PDFs, and was eventually modified to record audio and take screenshots. The documents were deleted within a few minutes from the drop servers, after the hacker had copied the files to his own PC.
Georgia blocked connections to the drop servers receiving the documents. The infected computers were then cleansed of the malware. But despite knowing his operation had been discovered, the hacker didn't stop. In fact, he stepped up his game.
In the next round, the hacker sent a series of emails to government officials that appeared to come from the president of Georgia, with the address "firstname.lastname@example.org." Those emails contained a malicious PDF attachment, purportedly containing legal information, with an exploit that delivered malware.
Neither the exploit nor the malware were detected by security software.
The PDF attacks used the XDP file format, which is an XML data file that contains a Base64 encoded copy of a standard PDF file. The method at one time evaded all antivirus software and intrusion detection systems. It was only in June of this year that the U.K.'s Computer Emergency Response Team warned of it after its government agencies were targeted. Georgia saw such attacks more than a year prior to the warning.
That was one of the major clues that Georgia wasn't dealing with an average hacker, but one who may have been part of a team with solid knowledge of complex attacks, cryptography and intelligence.
"This guy had high-class skills," Gurgenidze said.
Throughout 2011, the attacks continued and became more sophisticated. Investigators found the hacker was connected with at least two other Russian hackers as well as a German one. He was also active on some cryptography forums. Those clues, along with some weak security practices, allowed investigators to get closer to him.
Then, an irresistible trap was set.
They allowed the hacker to infect one of their computers on purpose. On that computer, they placed a ZIP archive entitled "Georgian-Nato Agreement." He took the bait, which caused the investigators' own spying program to be installed.
From there, his webcam was turned on, which resulted in fairly clear photos of his face. But after five to 10 minutes, the connection was cut off, presumably because the hacker knew he had been hacked. But in those few minutes, his computer -- like the ones he targeted in the Georgian government -- was mined for documents.