SAN FRANCISCO – Russian hackers posing as the ISIS "Cyber Caliphate" were likely behind the hack of France's TV5Monde television channel, according to cybersecurity experts who have examined the attack.
Hackers claiming affiliation with ISIS shut down transmissions on the TV5Monde network on April 8 and posted pro-ISIS propaganda on the station's Facebook and Twitter accounts during the attack.
But a Russian group known as AT28 may have used ISIS as a cover for hacking, the U.S.-based security firm FireEye told BuzzFeed News Tuesday, after observing similarities in the infrastructure used by the Russian group and the one involved in the TV5Monde attack.
"There are a number of data points here in common," said Jen Weedon, manager of threat intelligence at FireEye. "The 'Cyber Caliphate website,' where they posted the data on the TV5Monde hack, was hosted on an IP block which is the same IP block as other known APT28 infrastructure, and used the same server and registrar that APT28 used in the past."
Weedon and other cybersecurity experts have been following the APT28 group for some time. The group — also known as Pawn Storm, Tsar Team, Sednit, and Fancy Bear — has been hacking into computer networks for the past seven years using highly advanced and aggressive methods, according to an October 2014 report released by FireEye. The report argues that APT28 is sponsored by a government unit based in Moscow.
"Russia has a long history of using information operations to sow disinformation and discord, and to confuse the situation in a way that could benefit them," Weedon told BuzzFeed News. "In this case, it's possible that the ISIS cyber caliphate could be a distraction. This could be a touch run to see if they could pull off a coordinated attack on a media outlet that resulted in stopping broadcasts, and stopping news dissemination."
Weedon said that researchers at FireEye had eyes on APT28's infrastructure and had seen it target other journalists around the same time as the TV5Monde attack. France's L'Express newspaper published a story Tuesday citing judicial sources who said that investigators had turned their attention away from ISIS and toward a group of Russian hackers. The paper said it would reveal more details on the investigation Wednesday.
The April 8 attack on the TV5Monde managed to take down the internationally broadcast television network for a full 18 hours. French Prime Minister Manuel Valls called the attack an "unacceptable attack on freedom of information and of expression," while Yves Bigot, head of TV5Monde, described the attack as "unprecedented in the history of television."
The hackers posted images on TV5Monde's Facebook page purporting to be ID cards of French soldiers involved in anti-ISIS operations.
One message on the hacked Facebook page read: "Soldiers of France, stay away from the Islamic State! You have the chance to save your families, take advantage of it. The CyberCaliphate continues its cyberjihad against the enemies of Islamic State."
Just hours before the attack, ISIS had posted a video praising the "Cyber Caliphate" army and urging them to step up efforts to hack targets in the West. The page that hosted the video has since been deleted.
ISIS and its supporters across the world have repeatedly relied on social networks to spread their message and have taken responsibility for other cyber attacks. In January, the Cyber Caliphate took credit for an attack that took control of the U.S. Central Command's Twitter and YouTube accounts, @CENTCOM. While U.S. officials have said the attack was not sophisticated, it received wide praise from ISIS supporters online.
Russian hackers have used misinformation campaigns in the past and have worked to make it more difficult to identify the actor behind an attack. A recent New York Times expose on Russian hackers revealed that a shadowy organization known as the Internet Research Agency had carried out various hoaxes in the U.S., including an effort to spoof an ISIS attack against a chemical plant in Louisiana on the anniversary of 9/11.
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Got a confidential tip? Submit it here.