Researchers with the Computer Emergency Response Team in the country of Georgia say they turned the tables on a hacker who planted advanced espionage malware on Georgian and American computers to collect sensitive security documents.

Researchers had been following perpetrators behind the "Georbot Botnet" they said used advanced methods to infiltrate the computers of government ministries and parliament, banks, and non-governmental organizations. The Botnet's targets spanned Georgia, the US, Canada, Ukraine, France, and other countries. Besides exploiting unpublished software vulnerabilities to install malware, the attackers also planted malicious links on specific webpages that would interest the kinds of people being targeted.

The campaign searched victim machines for documents with certain terms and also used embedded webcams and microphones to eavesdrop on targeted individuals. It began as early as March 2011 and lasted as long as 12 months. The CERT members tracking the hacking said they linked it to "Russian Security agencies."

Part of their research, outlined in a 27-page report, included infecting one of the perpetrators with the same malware used in the campaign. The researchers then recorded a man as he used one of the computers the researchers had compromised.

As the report explained:

We have infected our PC from Lab, then gave Cyber Attacker Fake ZIP Archive with his own virus inside and the name "Georgian-Nato Agreement". Attacker stole that archive and executed malicious files. As we had access to BOT Panel, we had maintained control over his PC. Then captured got video of him, personally. We have captured process of creating new malicious modules. We have obtained Russian Document, from e-mail, where he was giving someone instructions how to use this malicious software and how to infect targets. We have linked him with some of German and Russian hackers. Then we have obtained information about his destination city, Internet service provider, e-mail, and etc.

Attribution—that is, the task of determining what group or country is behind a physical or network attack—has long been a complicated and imprecise undertaking. That makes it hard for disinterested third parties to state with certainty who is behind an attack and easy for the accused party or country to provide facts that seem to rebut the claims. In 2008, crippling denial-of-service attacks on Georgian banks and government websites preceded Russia's military campaign in that country. Many Georgians claim the attacks were carried out by Russians. The photographs and other data allegedly taken by the hacker's own computer may be of particular value as this latest dispute plays out.