Russian cyber spies target Georgia’s government and critical infrastructure

Russian cyber spies target Georgia’s government and critical  infrastructure

For over three years, Russian intelligence agencies infiltrated Georgia’s government and key companies in an extensive espionage operation, gaining access to sensitive information and means to potentially disrupt critical infrastructure, according to documents and technical reports reviewed by Bloomberg News.

Between 2017 and 2020, the Foreign Ministry, Finance Ministry, central bank, and vital energy and telecommunications companies were deeply compromised by Russia’s GRU (military intelligence) and FSB (Federal Security Service). Targets included electricity providers, oil terminals, media platforms, and even Georgia’s Central Election Commission.

Georgia, positioned as a gateway for energy and trade routes linking Europe and Asia, has long been central to the geopolitical struggle between East and West.

The intelligence-gathering campaign, which persisted for years before Georgia’s 2020 elections, allowed Russia to monitor a key nation in its strategic interest. Hackers, working regular Moscow office hours, actively observed their Georgian targets in real-time.

In addition to espionage, Moscow gained the capability to sabotage Georgia’s power and communications networks, which could be deployed if the government pursued policies against Russian interests. The operations included compromising IT systems at Georgia’s national railway, infiltrating energy companies, and gaining access to confidential emails of senior officials at the Foreign Ministry.

The hackers had also targeted Georgia’s power companies, Bloomberg reports. By late 2019, Russian hackers had full visibility into Telasi, Tbilisi’s electricity distributor, monitoring employee activity and exploiting internal security weaknesses. Hackers also compromised a state-owned energy grid company, giving them the ability to shut down substations, cutting power in critical regions if desired.

The GRU was responsible for many of these attacks, using sophisticated malware like GreyEnergy and X-Agent. They also targeted other infrastructure, including the Batumi Oil Terminal and telecom operator Skytel, which, according to one report, was exposed to potential shutdown by attackers.

Despite being informed by Western counterparts of Russian interference, it remains unclear if the Georgian government took any significant action, according to European officials who spoke under anonymity. Russia’s espionage efforts have continued elsewhere in recent years, but officials withheld further details to avoid jeopardizing ongoing investigations.

Besindes critical infrastructure, the Central Election Commission was hacked, and several major media organizations—including popular TV channels Imedi and Maestro—were infiltrated. Meanwhile, at the Foreign Ministry, hackers linked to the FSB’s Turla group spied on emails from top officials, including Georgia’s ambassadors to the US and the EU.

Turla, known for sophisticated cyberattacks in numerous countries, operated from a facility in Ryazan, Russia, breaching Georgian networks and stealing vast amounts of data during a 2020 campaign.

Turla has a long history of targeting high-profile entities, including governmental and diplomatic organizations. Active since at least 2004, Turla has been behind cyber espionage operations across Europe, Central Asia, and the Middle East. Notable breaches attributed to the group include the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014.

In May 2024, the network of an unnamed European Ministry of Foreign Affairs (MFA) and its diplomatic missions abroad have been found to be infected by previously undocumented backdoors dubbed ‘LunarMail’ and ‘LunarWeb’ attributed to Turla.

Back to the list

Latest Posts

Police crackdown shuts down major Kidflix platform hosting child sexual abuse material

Police crackdown shuts down major Kidflix platform hosting child sexual abuse material

As a result of the operation, 79 arrests were made, 1,393 suspects identified, and over 3,000 electronic devices seized.
2 April 2025
Ongoing campaign targets exposed PostgreSQL instances to deploy crypto miners

Ongoing campaign targets exposed PostgreSQL instances to deploy crypto miners

The campaign could involve over 1,500 compromised systems.
2 April 2025
DPRK IT worker threat expands beyond the US, focuses on Europe

DPRK IT worker threat expands beyond the US, focuses on Europe

The schemes come with new tactics, including extortion campaigns and corporate virtualized infrastructure compromises.
2 April 2025