An attack carried out in April on French television network TV5Monde appearing to be by Islamic State hackers may have actually been by hackers in Russia, a security firm has claimed.
Back in April the channel was taken off air and its Facebook page and website hijacked by hackers calling themselves the 'CyberCaliphate' who posted documents online poporting to be the ID cards of French soldiers involved in anti-ISIS operations.
A message posted on TV5Monde's Facebook page said 'The CyberCaliphate continues its cyberjihad against the enemies of Islamic State,' assumed to be in reference to the fact that France is part of the US-led air strikes against IS in Iraq and Syria.
But Security firm FireEye has evidence to support that the attack could have been perpetrated by APT28, a Russian-based APT group that FireEye suspect works for the Kremlin.
The security firm believes that that this activity aligns with Russia’s institutionalised systematic 'trolling' – devoting substantive resources to full-time staff who plant comments and content online that is often disruptive, and always favourable to President Putin.
Russian trolls have even conducted ISIS-related hoaxes before: A recent New York Times expose uncovered a shadowy organisation known as the Internet Research Agency that reportedly perpetrated numerous malicious hoaxes in the U.S., including a sophisticated effort to spoof an ISIS attack against a chemical plant on the anniversary of 9/11.
Back in April when the 'Cyber Caliphate' group conducted the attack on TV5 Monde, it published information about the hack and their ideology on one of the Cyber Caliphate’s websites.
It turns out the Cyber Caliphate website which published the information was hosted on the same IP block as other APT28 infrastructure, and used the same name server and registrar that FireEye has seen APT28 use in the past.
At the end of last year FireEye released a report looking at APT28 and discovered that unlike the China-based threat actors they have tracked, APT28 does not appear to conduct widespread intellectual property theft for economic gain, but instead is focused on collecting intelligence that would be most useful to a government.
Specifically, FireEye found that since at least 2007, APT28 has been targeting insider information related to governments, militaries, and security organisations that would likely benefit the Russian government.
'The APT28 group has been hacking into computer networks for the past seven years using highly advanced and aggressive methods,' said Richard Turner, FireEye's EMEA President. 'What we already suspect is that the group is sponsored by the Kremlin. We now also believe that ISIS was a decoy and APT28 was actually responsible for the attack on TV5Monde. Russia has long history of using information operations to sow disinformation and discord, and to confuse the situation in a way that could benefit them.'
Turner referred to the ISIS 'Cyber Caliphate' as a ‘distraction tactic’.
'This could be a touch run to see if they could pull off a coordinated attack on a media outlet that resulted in stopping broadcast and news dissemination,' he continued. 'We have been watching APT28’s infrastructure very closely and have seen them target other journalists around the same time as the TV5Monde attack.'
According to a report by French newspaper L'Express, experts from security firm Trend Micro go one step further by suggesting the hack could be part of the 'Pawn Storm' malware attack which was supposedly backed by Russian government.
But as security blogger Graham Cluley argues, all of this might not enough evidence to conclusively link the attack to Russia, let alone the Kremlin.
'Was Russia behind the TV5Monde hack? Who knows,' writes Cluely. 'We probably will never have enough convincing data to confirm the attack was masterminded from Russia, let alone that it was backed by the Kremlin.'
'But one thing is for sure. It's a lot less embarrassing for organisations to claim that they have been hacked by a sophisticated hacking gang – preferably one with shadowy links to a foreign government – than for them to have been compromised by a bunch of kids. Especially if the organisation embarrassed itself in the aftermath of being hacked by exposing its passwords live on-air.'