Cyber Incident Victim: Georgian courts
Date:
Oct 2019
Location:
Georgia
Summary
A massive cyber-attack targeted multiple entities in Georgia, temporarily taking offline two television stations and defacing or disrupting thousands of websites. Among the affected were personal, business, local news, and government sites, including those of the general jurisdiction courts and the president. The attack compromised a key web hosting provider, Proservice, resulting in the defacement of around 15,000 hosted websites with images of former president Mikheil Saakashvili and the phrase "I'll be back." Restoration efforts progressed rapidly, with more than half of the impacted sites restored by the end of the day. Critical infrastructure was not impacted.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 28, 2019, a large-scale cyber-attack commenced against multiple targets within Georgia, resulting in significant disruption to the nation's digital landscape. The assault began at dawn and was characterized by widespread website defacements and takedowns, affecting a diverse array of entities including personal blogs, business sites, local newspapers, government portals such as those for general jurisdiction courts, and the official website of then-President Salome Zurabishvili. A primary vector of the attack was a Georgian web hosting provider, Proservice, whose servers housed approximately 15,000 websites for state agencies, private sector organizations, and media outlets; these sites were compromised, with their home pages replaced by images of former President Mikheil Saakashvili and a banner stating "I'll be back." Saakashvili, who faces multiple criminal charges in Georgia and resides in self-imposed exile in Ukraine, became the symbolic figurehead of the defacements. Concurrently, two Georgian television broadcasters, Imedi TV and Maestro, were temporarily taken offline, amplifying the attack's visibility and impact on national media. While the attack caused extensive public and private sector website outages, reports indicated that critical national infrastructure remained unaffected.
The detection of the attack prompted an immediate response from the affected hosting provider, Proservice, which issued a public statement acknowledging the incident as "one of the largest cyber-attacks on the cyber space of Georgia." The company confirmed its server was a direct target and detailed its restoration efforts, stating that by 8:00 pm on October 28, over 50% of the hosted web pages had been restored, with work continuing overnight to fully recover all services. Proservice noted it was collaborating with the Ministry of Internal Affairs and leading cybersecurity experts to eliminate the problem completely. Georgia's interior ministry concurrently initiated a formal investigation into the attack's origins and methodology. The scale and coordinated nature of the incident, targeting government, media, and private websites simultaneously, drew comparisons in media reports to the 2008 cyber-attacks that coincided with the Russo-Georgian conflict, though officials at the time cautioned it was too early to assign specific attribution. Cybersecurity experts quoted in the coverage opined that the attack's characteristics suggested possible state sponsorship due to its breadth and the selection of high-profile targets, aligning with a trend of politically motivated cyber operations aimed at disrupting societal functions and promoting geopolitical narratives. The incident underscored the vulnerability of interconnected digital infrastructure and served as a stark reminder of the potential for cyber tools to be wielded for broad disruptive effect against a sovereign nation's online presence.