Islamic hackers exploit CMS flaws on 'thousands' of French websites

News by Doug Drinkwater

Tens of thousands of French websites have been hacked in the aftermath of last week's Charlie Hebdo terrorist attack, which left 20 people dead.

In an interview with Reuters on Thursday, Admiral Arnaud Coustilliere, head of cyber-defence for the French military, said that 19,000 French websites had faced cyber-attacks since the 7 January attack against members of the satirical magazine, while earlier today Sky News reported that the websites Le Figaro, Le Parisien, France Info and L'Express were temporarily offline.

On the latter, Oxalide, the web hosting provider for websites Liberation, L'Express, 20 Minutes, France Inter, Mediapart and Marianne, tweeted that an attack was “taking place against our infrastructure" and that it was "affecting the heart of our infrastructure".

Attribution with cyber-attacks remains notoriously difficult with internet traffic often re-routed via numerous jurisdictions, but Coustilliere believes that some of these attacks may have been carried out by well-known and “structured...Islamist hackers" in retaliation to the magazine and to the demonstrations against terrorism, which saw 3.7 million people take to the streets across the country on Sunday.

“What's new, what's important, is that this is 19,000 sites - that's never been seen before," Coustilliere told the news wire. A number of site visitors reportedly saw the message: "The Islamic State Stay Inshallah (God willing). Free Palestine. Death To France. Death To Charlie."

Separately, Gérôme Billois, senior manager of Solucom – whose CERT team has worked with some of the affected websites, has told that the responsible hacking groups behind the attacks are coming from Tunisia, Syria, Morocco, Middle East and Africa.

There has, however, been some confusion on the method of attack. Arbor Networks said that it had tracked 1,070 DOS attacks in a 24-hour period during the last week, but Martin McKeay, senior security advocate at Akamai Technologies, was less convinced, telling SC that the figure of 19,000 attacks could well be ‘bogus', counting ‘every ping or port knock' (a stealth method to externally open ports).

Billois confirmed that thousands of websites had been hacked, albeit mainly by exploiting vulnerabilities with the WordPress, Joomla, Drupal and Spit content management systems, rather than via DDos, which he says “didn't work”.

The researcher adds that the first of the “cyber-vandalism” started shortly after the Charlie Hebdo shootings, when Anonymous and other Hebdo supporters – operating under the ‘OpCharlieHebdo' hashtag on Twitter – had sought to block and report Twitter accounts of suspected ISIS sympathisers, and even hack Islamic State recruitment websites.

However, around ten different cyber-jihadist groups from Tunisia, Syria, Morocco and the Middle East responded quickly, infecting thousands of websites after scanning these for web vulnerabilities. Some websites were exposed by WordPress vulnerabilities detailed back in October, while others were found to be running two-year-old versions of the software.

There was no rhyme or reason to these attacks, says Billois, with hackers mainly looking for any that were vulnerable. One of the groups, Middle East Cyber Army (MECA), is believed to be Syria-based, while another is in Mauritania.

Billois said of the attackers' capabilities: “So far, they don't have a lot of technology capabilities but their skill level is increasing day- by-day,” he said, adding that many of these were moving on to developing spear-phishing campaigns and advanced malware.

“We've not seen any attacks against the critical infrastructure but there's a group where you can hire hackers, so we're at the point where if they wanted to start, they could.”

“In France, the risk [from cyber-attacks] is being taken very seriously and it's why we saw the new legislation last year.

“This was a very good wake-up call, especially for the sites that have been hacked, to put more attention on cyber-security. We all know that the cyber-threat is not going to decrease in the coming years.

Fran Howarth, security analyst at Bloor Research, told SC that the internet is increasingly the communication layer for everything from terrorism to protests – and urged for some distinction between the two in this example.

“There seems to be two things here. The French website attacks seem to be extremely unsophisticated, in many cases only loosely affiliated with any known group. Many of those claiming to be involved state that they are angry at the cartoons and their continued appearance. Many are distancing themselves from any form of terrorism, just saying it is a protest,” she said via email. 

“Cyber is an increasing part of everything. It is being used in everything from protests, to terrorism, to nation-state acts. Any war in the future is bound to have at least a cyber element - as seen in the number of governments developing their capabilities.”

In related news, cyber-criminals have been quick to exploit the attack, by sending malware to unsuspecting individuals on social media using the #JeSuisCharlie hashtag. Blue Coat security researcher Snorre Fagerland says the malware in question is DarkComet RAT (aka Fynloski).

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews