TV5Monde in chaos as data breach costs roll into the millions

French broadcaster TV5Monde is still without Internet and other key IT functions three months after a nation-state hacker took control of its TV channels and hijacked social media accounts. Meanwhile, the data breach costs are mounting up.

TV5Monde in chaos as data breach costs roll into the millions
TV5Monde in chaos as data breach costs roll into the millions

TV5Monde was very visibly hacked back in April when the French news channel, which broadcasts ten channels in over 200 countries, was downed by hackers who also gained control of its social media channels.

After the blackout, the station managed to resume broadcast service some hours later (in the early hours of 9 April), and also regained control of its Facebook and Twitter pages, which had been used by hackers to publish personal information of French soldiers serving in Syria. Being able to put out a live broadcast feed came some weeks later.

At the time, the hack was believed to be the work of Islamic State sympathisers although later reports from Trend Micro and others suggest this was a ‘false flag' operation, conducted by the APT28/Pawn Storm group, which is believed to be closely associated with the Russian government.

The attack has been traced back to January 2015 when phishing emails were sent to TV5 Monde journalists. Leaked documents suggest German secret services knew about the attack two months before discovery, while experts, speaking anonymously to SCMagazineUK.com recently, suggested GCHQ knew about it too.

The broadcaster's CEO has now told SC that IT services won't fully resume until October, some six months after the attack. What's more, the hack is costing the TV station millions of Euros.

Yves Bigot, CEO at TV France, was quoted in French magazine France.Info recently, in which he said that the broadcaster was without Internet and Skype, while equating the situation to him to his colleagues being castaways in the TV series ‘Lost'. He said the attack costs varied between €4.3 million and €5 million, with €9.9million due to be spent over the next three years.

SC sought out Bigot over the weekend to clarify the situation, and his responses make stark reading for anyone looking into how damaging nation-state attacks can be.

“Following the 8 April  attack, we are not allowed to reconnect our services to the Internet network until we have rebuilt a safer system under ANSSI's [the French agency – Ed] orders,” he told SC.

“To do so, would allow hackers to take our 12 TV channels down once again. We will not allow that. But, in doing so, we will have to wait until the job is done - we're talking September to October to regain access to most tools, like Wi-Fi, Skype, using USB, etc.”

“Emails are working, but are very slow if you enclose any documents because we use a disconnected line… Full services are expected to be up and running by October. That will make six months from April 8th.”

The attack, he said, would cost into the millions.

“The attack will cost TV5Monde about €4.5 million in 2015, plus lost commercial revenues which are as yet not fully known. And the new system will cost us about €2.5million more each following year.”

The nature of the new infrastructure was naturally a “very sensitive subject”, said Bigot only adding that it would build “a much more sophisticated system which will include an all-round watch to ensure any attack will be known and dealt with in due time.”

“One thing is certain so far: the attacker was bound to destroy all of our systems. We were lucky that our technical team was present at the time of the attack and had the good idea to stop the attack midway by disconnecting the internet network from our systems. This is why it's so important not to reconnect too early now.”

Attribution, however, remains tricky and a question that continues to befuddle law enforcement.

Bigot said that ANSSI and other French police units are still working on the case but feel “very strongly” that the attack originated from the APT28/Pawn Storm group, even if the group was commissioned to carry out the attack by a third-party. Bigot admitted that the attack could also have been carried out by Russian secret services, or others using APT28 as mercenaries. He also noted the possibility of ISIS (via CyberCaliphate) or Syria.

ANSSI, he says, have been working around the clock in rebuilding system, with a full report to be released on 28July. The company meanwhile is involved in talks with the French governments and others for additional funding on the matter.

Gérôme Billois, senior manager of incident response outfit Solucom, says that the cost is “something that is in line with what we see with other cases”, adding that €4 million to €5 million is “not so surprising” for a company of TV5 Monde's size. He noted cases where, in the event of an APT attack, the breached firm could spend up to €30 million, whilst adding that some banks and industrial control systems were spending €60 million to €80 million on cyber-security over the next three years.

 “So for TV5, it's a huge amount, because they don't have that sort of budget usually, but it makes sense.”

Billois said that incident responders would usually seek to isolate the most critical business operations, understand the attack and the malware, before doing the clean-up and rebuild of systems. “This may take three to four months…and in this time frame, we should start again to have some connectivity.”

He added that Sony Pictures Entertainment took eight weeks to have email, with finance systems so damaged that financial results had to be postponed. 

Billois said that, with some communication channels are more secure than others, TV5Monde was naturally being "conservative" in bringing systems online again, adding that the company was now in a "protective posture."

Nonetheless, he says that cyber-security should now be top of the agenda at the firm: “It's a shame that it was the objective of the attacker, but if you pick one good thing it is that board members at many large companies now better understand what happens when hackers came knocking at their door.”

Billois added that Russia was still suspected of the attack, but admitted there was “no silver bullet proof.” He said he'd be surprised if it was APT28 , considering their previous activities, but expects the TV5 Monde aftermath to continue for years through judicial and parliamentary channels.