French TV station apparently hacked by Russians, not ISIS sympathisers
French TV station apparently hacked by Russians, not ISIS sympathisers

As reported at the time, TV5 Monde was hacked in April in what remains one of the most poignant attacks in recent history. Hackers reportedly compromised the TV network, took charge of its Facebook accounts and even uploaded photos pertaining to be the personal IDs and CVs of the relatives of French soldiers participating in the campaign against ISIS.

The broadcast was down for three hours, and even then the TV returned with pre-recorded content. Social network control was also restored in what director general Yves Bigot later referred to as an “unprecedented” attack.

“The CyberCaliphate continues its cyber-jihad against the enemies of Islamic State,” read one of the hacker group's messages on the network's Facebook page at the time. “Soldiers of France, stay away from the Islamic State! You have the chance to save your families, take advantage of it.” These threats were reportedly displayed in French, Arabic and English.

Subsequent press coverage and security reports have honed in on Cyber Caliphate and the much-publicised up skilling of ISIS hackers, but now a different theme has emerged – that this was the work of Russian actors instead.

Both Trend Micro and FireEye told online sources that this was the work of the APT28 cyber-espionage group, also known as Operation Pawn Storm, which mainly focuses on government surveillance.

The group has mainly targeted Eastern governments over the years, but has also sought out and infected journalists, NATO, OSCE and a UK defence company. It uses various backdoor Trojans and local copying to exfiltrate data, while its tailored malware is said to have evolved rapidly in recent years.

Greg Day, CTO of FireEye EMEA, told today that attribution is difficult, and never an absolute certainly, but said that in this case the firm was able to tie the attack to APT 28 by three key factors; the IP address range (used before by APT28) and the server and domain registrar, which were also used by the group in the past.

“All of those findings indicate that this is tied to APT28,” said Day.

Quizzed on Eastern beliefs that APT28 is not a nation-state group, he continued that this doesn't add up with FireEye's view: “If you look at what APT28 do, and they have been around for more than a decade, they're very focused on the government and defence space.”

He added that they were keen on finding out what these organisations were doing, as well as paying particular attention to government supply chains. “That seems to me to be nation-state intelligence gathering.”

Pointing to Cyber Caliphate's recent compromise of CENTCOM, he said a trend was emerging of 'cyberops', psychological warfare to spread propaganda. And in TV5Monde's case, he say that this may have been hackers simply testing out their capabilities:

“I have to ask the question whether this is just more of a test case to see what they can get with social media, and what you can get from it in future,” added Day, who said that misdirection was a useful ploy if you could convince a breached company a group was there for hactivist reasons rather than stealing IP. FireEye has though not seen evidence of data theft or IP theft at this time.

Day was unsure if there would be any law enforcement action at this time, although France's L'Express newspaper published a story on Tuesday, citing judicial sources who said that investigators had turned their attention away from ISIS and towards a group of Russian hackers. The paper said it would reveal more details on Wednesday.

Rik Ferguson, VP of security research at Trend Micro, told SC that L'Express, which also found that remediation costs at TV5 Monde were already up to €7.5 million (£5.5 million), had gone to the security firms with indicators of compromise from French agency ANSSI.