TV5Monde attack proves hacking attribution is very difficult

Back in April, France’s TV5Monde TV network was knocked off air because of a hack attack, which also saw its website and Facebook page hijacked.

At the time, BBC News reported the attack as being perpetrated by “Islamic State hackers” – a reasonable supposition as the attackers called themselves “CyberCaliphate” and posted documents online purporting to be the ID cards and resumés of French soldiers involved in anti-ISIS operations.

But now, BBC News is reporting that “Russia-based hackers” may have been behind the attack.

In short, attribution of internet attacks is very difficult.

Apparently, the French media is linking the TV5Monde hack to IP addresses used by Russian hackers.

According to a report by L’Express, Trend Micro experts go one step further, suggesting that the hack has the hallmarks of the “Pawn Storm” hack which saw government, media and military agencies in the United States, Pakistan, and Europe targeted with spearphishing, watering hole attacks and malware-laced Word documents, blamed on hackers backed by the Russian government.

If it really was the Russian government who hacked TV5Monde, then you have to wonder why they would have posted pro-ISIS messages, and what they hoped to gain by publishing details of French soldiers online.

It hardly seems the kind of way that hackers keen on avoiding detection would be likely to behave.

In the French media report, it’s claimed that clues that the attack might have originated in Russia come through code being written using Cyrillic script, with programs compiled during business hours corresponding to St Petersburg and Moscow.

Because, of course, it’s impossible for a hacker who wishes to cover his tracks to change the time on his PC or use a different language pack.

Was Russia behind the TV5Monde hack? Who knows. We probably will never have enough convincing data to confirm the attack was masterminded from Russia, let alone that it was backed by the Kremlin.

But one thing is for sure. It’s a lot less embarrassing for organisations to claim that they have been hacked by a sophisticated hacking gang – preferably one with shadowy links to a foreign government – than for them to have been compromised by a bunch of kids.

Especially if the organisation embarrassed itself in the aftermath of being hacked by exposing its passwords live on-air.

By the way, internet attacks against TV stations aren’t a new thing.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley •   @gcluley

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.