A large-scale cyber-attack that defaced thousands of Georgian websites with former Georgian President Mikheil Saakashvili’s photo on October 28, 2019, was more than a simple case of website vandalism: it included poorly executed malicious code as well.

Georgia has seen a similar attack before, in 2008, when Russia’s military incursion — the territory of which is still the center of a cold conflict between the two countries — was accompanied by cyber-attacks. While there was a similarity with this earlier attack, there is no indication that Russia played a part in this latest event. Both of the attacks, however, were likely aimed at demoralizing Georgian society by sewing confusion and fear as well as instilling a feeling of vulnerability.

The October cyber-attack — likely the largest in the country’s history — affected more than 2,000 websites and targeted multiple sectors, including the websites of the president, courts, civil society organizations, and private companies, as well as two television stations.

While a number of fringe Georgian websites and Facebook pages claimed that Saakashvili himself was behind the attacks, the DFRLab found no evidence to support that attribution.

Previous instances of cyber-attacks on Georgia

Georgia has been a target of similar attacks in the past, most notably by Russian state-backed hacking groups during the 2008 Russo-Georgian War. Hundreds of institutions have been targeted.

In August 2008, security researchers noticed that an escalating series of cyber-attacks began targeting Georgia’s internet infrastructure. The Georgian government accused Moscow of orchestrating cyber warfare alongside Russia’s ongoing military offensive.

At the time, NATO concluded that the hacking of Georgian computer networks “appeared to be coordinated with Russian military actions.” The Carnegie Endowment for International Peace, meanwhile, attributed the attack to a “national government” with “high confidence,” noting that it used “a strain of Pinch malware frequently used in Russia.” The Council of Foreign Relations linked the attack to APT28, also known as Fancy Bear, a hacking group associated with Russian military intelligence.

The photo of Georgia’s ex-President

Many of the sites targeted in the latest attack were defaced in the same manner: when visitors navigated to the home page, they were greeted with a full-screen photo of Saakashvili, accompanied by a caption channeling Arnold Schwarznegger in Terminator — “I’LL BE BACK” — superimposed over a Georgian flag.

Defaced Georgian governmental website displaying the photo of Georgia’s former President Mikheil Saakashvili. (Source: Penitentiary and Probation Training Center of Georgia)

Saakashvili served two terms as president of Georgia between 2004 and 2013 and is known for his ardent pro-Western views. He is wanted by Georgia’s current government on multiple criminal charges, including abuse of power and wasting state funds; he has claimed the charges are politically motivated.

Georgian Facebook pages and fringe media rush to blame Saakashvili

Shortly after the cyber incident, a number of Georgian Facebook pages as well as fringe Georgian and Russian online outlets started speculating, with no evidence, that the attack was orchestrated by Saakashvili.

The pages shared the photo of Saakashvili displayed on the hacked sites and claimed the hack was organized by the former president and that he will not be able to come back to Georgia despite his best efforts.

In addition to sharing the posts, one of the pages shared an article from a fringe Georgian outlet accusing Saakashvili of being behind the incident.