Russians may have posed as ISIS in a high-profile hack against a French TV channel, according to French investigators and security firms.
France's TV5Monde TV network was knocked off air for around 18 hours in April in the aftermath of a hack attack that also resulted in the hijack of its website and Facebook page.
The attackers, self-identifying themselves as "CyberCaliphate", also leaked documents purporting to be ID cards of French soldiers involved in anti-ISIS operations. In the days after the attack, everyone blamed the hack on an relatively sophisticated attack by hackers ideologically aligned to ISIS.
However, French investigators announced this week that they believe the TV5 Monde attack was carried out by Russia-based hackers. Sources close to the investigation and TV5 Monde’s president told France 24 that the finger of blame for the megahack pointed towards Russia, confirming a report by French magazine L’Express, which broke the story about new leads in the investigation.
Computer malware and scripts that featured in the attack were typed out on a Cyrillic keyboard and compiled during office hours in Moscow and St. Petersburg. Furthermore the threats against the families of French soldiers serving overseas and other jihadist propaganda contained in the message were full of grammatical mistakes. These, among other evidence, have led police investigators into suspected Russian – and more specifically Kremlin – involvement, the BBC reports.
This conclusion is supported by findings from security vendors FireEye and Trend Micro.
FireEye has evidence to suggest that the attack on TV5Monde could have been perpetrated by APT28, a Russia-based APT group it suspects works for the Kremlin. In particular, the Cyber Caliphate website which published leaked information was hosted on the same IP block as other APT28 infrastructure, and used the same name server and registrar that FireEye has seen APT28 use in the past.
"We suspect that this activity aligns with Russia’s institutionalized systematic “trolling” – devoting substantive resources to full-time staff who plant comments and content online that is often disruptive, and always favourable to President Putin," FireEye concludes.
But what possible motive would Putin crack cyber-squad have for hacking into a French TV network and spewing jihadist propaganda? France and Russia are at loggerheads over the Ukraine but both are equally opposed to the rise of ISIS.
Greg Day, VP & CTO EMEA at FireEye, told El Reg that it might be that Russian hackers were testing what type of damage they might be able to inflict on a media outlet (beyond running a standard DDoS attack) against a real target. If this theory is right, then the Cyber Caliphate-theme was there purely to provide plausible deniability.
Richard Turner, FireEye president EMEA, added in a statement that the "APT28 group has been hacking into computer networks for the past seven years using highly advanced and aggressive methods."
"What we already suspect is that the group is sponsored by the Kremlin," Turner said. "We now also believe that ISIS was a decoy and APT28 was actually responsible for the attack on TV5Monde. Russia has long history of using information operations to sow disinformation and discord, and to confuse the situation in a way that could benefit them."
"The ISIS cyber caliphate could be a distraction tactic. This could be a touch run to see if they could pull off a coordinated attack on a media outlet that resulted in stopping broadcast and news dissemination. We have been watching APT28’s infrastructure very closely and have seen them target other journalists around the same time as the TV5Monde attack," he added.
Unlike China-based threat actors, APT28 does not appear to conduct widespread intellectual property theft for economic gain, but is instead focused on collecting intelligence (on insider information related to governments, militaries, and security organisations) that would be most useful to a government.
The same Russian group has previously targeted computer systems run by the Georgian government, Western military targets and their supply chain as well as journalists, among others.
Tren Micro told L'Express that the TV5Monde attack has the same hallmarks as the so-called "Pawn Storm" hack against government, media and military agencies in the United States, Pakistan, and Europe.
"Pawn Storm" featured spearphishing, watering hole attacks and malware-laced Word documents. Trend blames the whole run of attacks on hackers backed by the Russian government. Pawn Storm has previously targeted Chechen separatists and Islamic extremists in former Yugoslavia, making co-operation between it and islamic hactivists in turning over TV5Monde rather unlikely.
Rik Ferguson, VP of research at Trend Micro, is more circumspect than FireEye in blaming the whole hack on TV5Monde on Kremlin agents. The security firm is able to link malware used in the attack back to Pawn Storm (AKA APT28, the Russian) but the source of the subsequent leak of sensitive data remains unclear, Ferguson explains in a blog post.
L’Express approached Trend Micro with certain indicators of compromise which had been shared with them by the Agence nationale de la sécurité des systèmes d’information (ANSSI) in France, with a view to uncovering more about the attacker or the motivations behind the attack.
These indicators very definitely evidence an infestation of Sednit (also known as Sofacy) malware, associated with the ongoing targeted attack campaigns by the Pawn Storm operators (also referred to as APT28). What they did not do was to definitively link the stolen information or compromised accounts to the from the April attack to this Pawn Storm compromise. Neither is it possible to state with certainty that the two are *not* related.
Attribution in online crime is complex, more so when there may be nation-state involvement.
Ferguson concludes that the most likely scenario is that we are looking at the results of two entirely unrelated incidents, a Pawn Storm infestation and a separate hactivist compromise
In January, the Cyber Caliphate took credit for an attack that took control of the U.S. Central Command’s Twitter and YouTube accounts. FireEye hasn't looked into this specific attack but the new attribution for the French TV5Monde attack raises the serious possibility that this, too, might be a Russian psyops exercise. ®