TV5Monde attack proves hacking attribution is very difficult

Back in April, France’s TV5Monde TV network was knocked off air because of a hack attack, which also saw its website and Facebook page hijacked.

At the time, BBC News reported the attack as being perpetrated by “Islamic State hackers” – a reasonable supposition as the attackers called themselves “CyberCaliphate” and posted documents online purporting to be the ID cards and resumés of French soldiers involved in anti-ISIS operations.

But now, BBC News is reporting that “Russia-based hackers” may have been behind the attack.

Animated GIF of BBC news report

Sign up to our free newsletter.
Security news, advice, and tips.

In short, attribution of internet attacks is very difficult.

Apparently, the French media is linking the TV5Monde hack to IP addresses used by Russian hackers.

MoscowAccording to a report by L’Express, Trend Micro experts go one step further, suggesting that the hack has the hallmarks of the “Pawn Storm” hack which saw government, media and military agencies in the United States, Pakistan, and Europe targeted with spearphishing, watering hole attacks and malware-laced Word documents, blamed on hackers backed by the Russian government.

If it really was the Russian government who hacked TV5Monde, then you have to wonder why they would have posted pro-ISIS messages, and what they hoped to gain by publishing details of French soldiers online.

TV5Monde social media

It hardly seems the kind of way that hackers keen on avoiding detection would be likely to behave.

In the French media report, it’s claimed that clues that the attack might have originated in Russia come through code being written using Cyrillic script, with programs compiled during business hours corresponding to St Petersburg and Moscow.

Because, of course, it’s impossible for a hacker who wishes to cover his tracks to change the time on his PC or use a different language pack.

Was Russia behind the TV5Monde hack? Who knows. We probably will never have enough convincing data to confirm the attack was masterminded from Russia, let alone that it was backed by the Kremlin.

But one thing is for sure. It’s a lot less embarrassing for organisations to claim that they have been hacked by a sophisticated hacking gang – preferably one with shadowy links to a foreign government – than for them to have been compromised by a bunch of kids.

Especially if the organisation embarrassed itself in the aftermath of being hacked by exposing its passwords live on-air.

By the way, internet attacks against TV stations aren’t a new thing.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.