TVMonde Attack Linked to Russian Hackers, Not ISIS

The TV5Monde director-general has told the BBC that the attack that took the French station off air in April 2015 was actually carried out by Russian hackers, not Islamic State bad actors as suspected.

A pro-ISIS group calling itself the Cyber Caliphate first claimed responsibility for the crippling attack, which knocked 12 channels off the air and almost “destroyed” the station, according to Yves Bigot the director-general. Most nation-state attacks are designed for espionage—in this case, the aim was destruction.

"We were a couple of hours from having the whole station gone for good,” he told the BBC.

The attack used highly targeted malicious software that corrupted station systems, first penetrating the network on 23 January.

"We were saved from total destruction by the fact we had launched the channel that day and the technicians were there," said Bigot said. "One of them was able to locate the very machine where the attack was taking place and he was able to cut out this machine from the internet and it stopped the attack."

The attack was more sophisticated than what was reported at the time. The bad actors carried out reconnaissance for several months to get to know the broadcast architecture, then created bespoke malware to target it.  

Since the attacks took place just a few months since the Charlie Hebdo attacks, the Cyber Caliphate taking responsibility made sense. But French authorities warned Bigot that the true perpetrators were using jihadist posts to muddle attribution attempts. In reality, law enforcement was able to track the attacks back to the infamous APT 28 group, affiliated with Russia.

Why target a French TV station? "I have absolutely no idea," said Bigot. "Who gave the order and the money to that Russian group of hackers to actually do it?"

Though the channels came back on-air quickly, there were serious consequences for the station. For one, staff had to return to using fax machines, and couldn’t access email.

"We had to wait for months and months before we reconnected to the internet," Bigot said.

And, the cost of remediating the attack came in at a whopping $5.6 million.

Photo © SOMMAI

What’s Hot on Infosecurity Magazine?