Russian hackers posed as ISIS supporters in April, hacking into and taking control of France’s TV5Monde, 11 television channels, and its online presence, the American cybersecurity firm FireEye told BuzzFeed.
Though the attack proclaimed itself the work of the “Cyber Caliphate,” a hacker group that defaces websites with messages that support the terrorist Islamic State, FireEye said the actual culprit was APT28, a Russian hacker group believed to have Moscow’s backing in their seven years of cyberattacks. APT stands for Advanced Persistent Threat, the acronym reserved for the most potent, often government-backed threats in cyberspace.
FireEye’s investigation revealed that the infrastructure behind the TV5Monde hack shares much in common with APT28’s own, BuzzFeed reported.
“In contrast with the China-based threat actors that FireEye tracks, APT28 does not appear to conduct widespread intellectual property theft for economic gain,” a 2014 report said. “Instead, APT28 focuses on collecting intelligence that would be most useful to a government. Specifically, FireEye found that since at least 2007, APT28 has been targeting privileged information related to governments, militaries and security organizations that would likely benefit the Russian government.”
“The ‘Cyber Caliphate website,’ where they posted the data on the TV5Monde hack, was hosted on an IP block which is the same IP block as other known APT28 infrastructure, and used the same server and registrar that APT28 used in the past,” Jen Weedon, manager of threat intelligence at FireEye, told BuzzFeed.
The attack knocked off almost a dozen TV channels for 18 hours and replaced TV5Monde’s online presence with an image much like those seen from the Islamic State’s other online work.
By April, the Cyber Caliphate had already made a name for itself by hacking and defacing U.S. Central Command’s social media accounts in January. American authorities described the attack as unsophisticated but there’s no denying that it got people’s attention.
Months later, the TV5Monde attack seemed like a new plateau for the group of hackers.
French Internet Minister Bernard Cazeneuve characterized the hack as a terrorist attack and said French authorities were “absolutely determined to catch those who want to strike at the heart of our Republic.” One of the first orders of business, according to Cazeneuve, was to determine if the hackers really were affiliated with the Islamic State.