Russia Pegged for ‘Cyber Caliphate’ Attack on TV5Monde

Written by

The targeted cyber-attack on French TV company TV5Monde in April may have been the work of state-backed Russian hackers and not a pro-ISIS group, as originally thought. The hack forced several channels off the air.

French magazine L’Express yesterday claimed that local investigators have linked the attacks to a group thought to operate with the Kremlin’s blessing, dubbed APT28, ‘Sednit’ and ‘Pawn Storm’.

Experts at Trend Micro and FireEye have corroborated the findings.

Specifically the investigators claimed the computer code used in the attack was typed in Cyrillic during business hours in St Petersburg and Moscow.

The group is also said to have used the same chess-like attack tactic which led it to be christened ‘Pawn Storm’ by Trend Micro.

For its part, FireEye today confirmed that it has observed “known APT28 infrastructure” used to compromise information apparently related to the French TV station.

Crucially, the Cyber Caliphate group’s website, which first published details of the hack back in April, used the same server and registrar APT28 has been known to use in the past, and was hosted on the same IP block as other infrastructure belonging to the group.

FireEye EMEA president Richard Turner told Infosecurity that the invention of the ‘Cyber Caliphate’ could be a “distraction tactic.”

“This could be a touch run to see if they could pull off a coordinated attack on a media outlet that resulted in stopping broadcast and news dissemination,” he added. “We have been watching APT28’s infrastructure very closely and have seen them target other journalists around the same time as the TV5Monde attack.”

APT28, or Pawn Storm, has been pegged in the past for attacks on European defense, government and media organizations. The group used SEDNIT malware to steal sensitive information from victim machines.

First discovered in October 2014, the group has even been accused of indirectly targeting the White House in an island hopping attack by focusing their efforts on two bloggers, days after they had interviewed president Obama.

“The APT28 group has been hacking into computer networks for the past seven years using highly advanced and aggressive methods,” Turner added.

“What we already suspect is that the group is sponsored by the Kremlin. We now also believe that ISIS was a decoy and APT28 was actually responsible for the attack on TV5Monde. Russia has a long history of using information operations to sow disinformation and discord, and to confuse the situation in a way that could benefit it.”

What’s hot on Infosecurity Magazine?