France’s TV5Monde came “within hours” of being destroyed by hackers, according to the station’s boss.
TV5Monde was taken off air for hours in April 2015. The interruption might have lasted longer but for the intervention of a techie who pulled the plug on a compromised system that was spreading malware, Yves Bigot, the director-general of TV5Monde told the BBC.
All 12 of TV5Monde’s channels went off air at 20:40 on Wednesday, 8 April 2015. The first of the restored channels was only brought back at 05:25 the following morning by one of a team of technicians (fortuitously) on site at the time disaster struck.
"We were saved from total destruction by the fact we had launched the channel that day and the technicians were there," Bigot explained. A longer delay might have prompted satellite distribution channels to seek reparation from, or, worse, contract cancellations with TV5Monde, an existential threat for the TV station.
Hackers - who had penetrated the TV system network 10 weeks before launching an attack and only after careful reconnaissance - created custom software that hobbled encoder systems used to transmit programmes before striking in early April. The hackers broke into TV5’s network using multiple points of ingress, including supplier networks such as the remote controlled cameras used in TV5's studios.
Although the hack was ostensibly made by cyber-jihadists affiliated with IS, Russia (more specifically the APT 28 hacking crew) has since emerged as the prime suspect in the attack. Some security experts reckon the Russians were testing out a capability against a live target.
The attack cost the TV station €5m ($5.6m) and left it with an increased reoccurring bill of €3m ($3.4m) for improved security controls.
Luke Brown, VP and GM EMEA at Digital Guardian, said TV5's travails offered wider lessons about the importance of having a well considered disaster recovery plan. "The TV5 hack demonstrates how a well-thought-out incident response plan can limit the damage done by hackers," Brown said. "By identifying the corrupted machine causing the damage, one of the technicians was able to neutralise the attack at the source.
"Many businesses don’t realise that incident response is a process, not an isolated event. Plans should be developed and reviewed on an ongoing basis and include threat intelligence and cyber hunting exercises, which allow for more proactive incident response," he added.®