French TV station apparently hacked by Russians, not ISIS sympathisers

News by Doug Drinkwater

Two leading security companies say that the April hack of French TV station TV5 Monde was likely the work of Russia's state-sponsored APT28 group, rather than ISIS supporters Cyber Caliphate.

As reported at the time, TV5 Monde was hacked in April in what remains one of the most poignant attacks in recent history. Hackers reportedly compromised the TV network, took charge of its Facebook accounts and even uploaded photos pertaining to be the personal IDs and CVs of the relatives of French soldiers participating in the campaign against ISIS.

The broadcast was down for three hours, and even then the TV returned with pre-recorded content. Social network control was also restored in what director general Yves Bigot later referred to as an “unprecedented” attack.

“The CyberCaliphate continues its cyber-jihad against the enemies of Islamic State,” read one of the hacker group's messages on the network's Facebook page at the time. “Soldiers of France, stay away from the Islamic State! You have the chance to save your families, take advantage of it.” These threats were reportedly displayed in French, Arabic and English.

Subsequent press coverage and security reports have honed in on Cyber Caliphate and the much-publicised up skilling of ISIS hackers, but now a different theme has emerged – that this was the work of Russian actors instead.

Both Trend Micro and FireEye told online sources that this was the work of the APT28 cyber-espionage group, also known as Operation Pawn Storm, which mainly focuses on government surveillance.

The group has mainly targeted Eastern governments over the years, but has also sought out and infected journalists, NATO, OSCE and a UK defence company. It uses various backdoor Trojans and local copying to exfiltrate data, while its tailored malware is said to have evolved rapidly in recent years.

Greg Day, CTO of FireEye EMEA, told today that attribution is difficult, and never an absolute certainly, but said that in this case the firm was able to tie the attack to APT 28 by three key factors; the IP address range (used before by APT28) and the server and domain registrar, which were also used by the group in the past.

“All of those findings indicate that this is tied to APT28,” said Day.

Quizzed on Eastern beliefs that APT28 is not a nation-state group, he continued that this doesn't add up with FireEye's view: “If you look at what APT28 do, and they have been around for more than a decade, they're very focused on the government and defence space.”

He added that they were keen on finding out what these organisations were doing, as well as paying particular attention to government supply chains. “That seems to me to be nation-state intelligence gathering.”

Pointing to Cyber Caliphate's recent compromise of CENTCOM, he said a trend was emerging of 'cyberops', psychological warfare to spread propaganda. And in TV5Monde's case, he say that this may have been hackers simply testing out their capabilities:

“I have to ask the question whether this is just more of a test case to see what they can get with social media, and what you can get from it in future,” added Day, who said that misdirection was a useful ploy if you could convince a breached company a group was there for hactivist reasons rather than stealing IP. FireEye has though not seen evidence of data theft or IP theft at this time.

Day was unsure if there would be any law enforcement action at this time, although France's L'Express newspaper published a story on Tuesday, citing judicial sources who said that investigators had turned their attention away from ISIS and towards a group of Russian hackers. The paper said it would reveal more details on Wednesday.

Rik Ferguson, VP of security research at Trend Micro, told SC that L'Express, which also found that remediation costs at TV5 Monde were already up to €7.5 million (£5.5 million), had gone to the security firms with indicators of compromise from French agency ANSSI.

“These indicators very definitely evidence an infestation of Sednit (also known as Sofacy) malware, associated with the ongoing targeted attack campaigns by the Pawn Storm operators (also referred to as APT28). What they did not do was to definitively link the stolen information or compromised accounts from the April attack to this Pawn Storm compromise. Neither is it possible to state with certainty that the two are *not* related.

Ferguson said that we stand with three possibilities;

  • These were two unrelated incidents - a Pawn Storm infestation and a separate hactivist compromise
  • The Pawn Storm group gave attack relevant data to a third party, directly or indirectly to Islamic hactivists. Ferguson said this was unlikely as Pawn Storm has been targeting Islamic extremists in former Yugoslavia.
  • A false flag operation to lay blame at the door of Islamic extremists.

“My spider senses right now are tingling on option one. TV5 Monde, as media operation is a target entirely within the remit of the regular Pawn Storm operations and an infestation of Sednit malware there should perhaps not be a surprise at all," he told SC. "The fact that during the time of this Sednit compromise, they were also targeted by Islamic extremist hacktivists, given the contemporary news and political environment in France is perhaps also not surprising.

“Attribution online is always complex, sometimes though things can be entirely as they seem.”

Kevin Williams, general manager of TC-UK and formerly of the UK's National Crime Agency, told SC that there's only so much private companies can do when it comes to attribution.

He recently attended the PHDays conference in Moscow, Russia and said that Eastern parties are fed up of Western rhetoric. “They just think its western anti-virus companies, working with western governments, to put out propaganda against the Russian government.”

Other commentators, who wished to remain anonymous, were unconvinced by the language allegedly used in spear phishing attributed to APT28, as the language used was not how a native Russian speaker would craft a sentence. Whilst they accept Russian language speakers may be involved, they said the actor may be proxying
via Russian infrastructure.

“What industry can do is take it back so far, perhaps to the hosting company or proxy that connects to the C2. It is absolutely essential that law enforcement acts at that end point,” said Williams.

“Often that last hop is so difficult - it means you need to physically get hands on the box or server being used. That bit the industry can't do unless they have a relationship of the person who owns it.”

He said this needs government relations, a problem with some countries. “The problem in the UK is if there was an issue in Russia is that there's a strained government to government relationship. If you put out a letter of request looking for evidence you're probably not going to hear anything back. Often you have to rely on CERT to CERT relationships.”

Williams cited the FBI's involvement with the Sony Pictures Entertainment hack as a rare example where one law enforcement body has enough global coverage, and suggested that more international collaboration is needed.

“If you pick something simple, like a banking Trojan affecting Russian victims as well as those in the US and Europe, why shouldn't we collaborate on things like that?”

This news comes just a week after senior officials from FBI, Europol and the NCA talked about the difficulties of attributing cyber-attacks to individuals or groups.

Update: Gérôme Billois, senior manager at incident response firm Solucom, told SC today that other indicators of compromise (IOCs) point to Brazil (including an xe. file distributing a banking Trojan), and urged for further consideration on the group behind the attack.

He questioned why APT28, which usually acts quietly to target government entities, would publicly go after a French TV station. He dismissed ideas of the group being paid by the Islamic State, or using the attack to promote their capabilities to the French government. 

"The highest probability is that TV5Monde has been targeted by two different attacks at the same time.It happens a lot, we've witnessed it often with clients."

Meanwhile, it appears as though the French government suspects it is a Russian false flag operation.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews