ISIS Hacks TV Station in France, Or Did They?

On 8 April one of the largest hacks to date on televised communications took place against a french TV station, TV5MONDE. For 18 hours the station that broadcasts to 200 countries was knocked off air. At the same time its social media accounts, including YouTube, Facebook, and Twitter were all taken over.

The identity of the perpetrators was obvious. On TV5MONDE’s social media sites, the hackers posted pro-Islamic images and videos. The messages that accused Francois Hollande of getting into a war that served no purpose, and Facebook posts that claimed “That’s why the French received the gifts of Charlie Hebdo and Hyper Cacher in January,” left no doubt who was behind it.  Later, suspicions were confirmed when jihadists, loyal but separate from ISIS, the Cyber Caliphate, claimed responsibility.

The Old Bait and Switch

However, that might have been just a cover for the real hackers. Further investigation by French authorities produced leads in an entirely different direction.

FireEye; a prominent US based network security agency, as well as Trend Micro; another global security company, founded in Los Angeles and headquartered in Tokyo, was called upon by the French to delve into the origin of the attacks.

French authorities distributed samples of the malware to both companies, who both reached the same conclusion, Russia.

Specifically the two companies were able to independently identify a particular group known as ‘APT28’ or ‘Pawn Storm’.

The site that launched the attack was hosted on the same block of Internet Protocol addresses and used the same domain name server as a group that had previously tried to hack NATO countries and emails of the White House and US State Department. Other attacks on Russian dissidents and pro-Ukrainian activists also emanated from the same region.

Also, FireEye concluded, that the code used in the attack had been typed on a Cyrillic keyboard at times of day corresponding to working hours in St Petersburg or Moscow. FireEye first identified the group of highly skilled hackers in late 2014, and, “explicitly linked the group’s activities to Vladimir Putin’s government in Moscow.”

It’s important to note that Trend Micro approaches the blame a little more carefully, saying, “Perhaps the Pawn Storm group gave attack relevant data to a third party, directly or indirectly to Islamic hacktivists.” However it adds that this scenario is “highly unlikely.”

Mother Russia aka Mother Troll

Over the past several months it has been reported that Russia has essentially industrialized trolling. This story, entitled The Agency, from the New York Times is a very interesting read.

“We suspect that this activity aligns with Russia’s institutionalized systematic `trolling’ -devoting substantive resources to fulltime staff who plant comments and content online that is often disruptive, and always favorable to President Putin”


The attacks that have been coming out of Russia have been very sophisticated and time-consuming indeed. On 11 September of 2014 hackers out of Russia staged a complex ‘terror’ attack. It sent phony messages via text to residents of St. Mary Parish, Louisiana claiming a “Toxic fume Hazard.” The parish has plenty of chemical plants and the parish had used texts before to issue alerts.

But the plan did not stop there. They also used hundreds of twitter accounts to start hashtags and claim that a disaster was unfolding. Even phony videos were used: a surveillance camera caught the flash of an explosion, and another video showed the ensuing thick black smoke.

There was also a doctored image of CNN’s homepage covering the attack. Yet another video on YouTube showed a man turning his camera to an Arabic news channel where ISIS was claiming responsibility for the attack.

All Fake.

Et Tu Russia?

We all know Russia has a… less than clean track record (see: Ukrainian invasion, anti-gay laws, and suppression of free speech). But why would Russia do this?

Well, Russia had a rough year in 2014. The fall of oil prices led by OPEC’s decision in November to not cut back production to prop up prices led to a loss of confidence in Russia’s oil dependent economy. This led investors to sell off their Russian assets. And earlier that year Russia’s foray into Crimea, then later the eastern part of Ukraine, led western powers to impose sanctions on Russia. These two major factors led to the collapse of the ruble and the current economic crisis that Russia is facing.

Russia’s invasion into Ukraine and subsequent sanctions also led France’s President, Francois Hollande, to halt delivery of two helicopter carriers previously scheduled.

Richard Turner from FireEye, while talking to IBTimes UK suggested, “Maybe it was to test out a capability to see if they could take a broadcaster off air, maybe it was to try and create something in the news to move the news agenda on.”

Turner went on to say that attacks like this “were the new normal” and that groups which have the capabilities to disrupt businesses in this way are absolutely likely to use their infrastructure for political or financial gain.

Don't Forget to Share this Post