Russian group that hacked DNC also nearly destroyed French TV channel, report says

By TIM JOHNSON | McClatchy Washington Bureau (Tribune News Service) | Published: October 11, 2016

WASHINGTON — Russian state hackers pretending to be Islamic jihadists sought to take down a French television channel last year, a news report said Monday, the latest sign that Moscow may be willing to conduct cyber sabotage as part of its tussle with the West.

A BBC report said Russian hackers sought not only to cripple but also to destroy the TV5Monde channel in a cyberattack in April 2015.

The attack succeeded in taking part of the channel off the air for at least three hours, and TV5Monde Director General Yves Bigot said the goal of the attack was bigger.

“We were a couple of hours from having the whole station gone for good,” Bigot told the BBC, saying the damage came to more than $5.5 million.

The report raises increasingly urgent questions about escalating Russian cyberattacks designed to inflict political or economic damage on Western powers.

The U.S. government accused Russia last Friday of launching cyberattacks on American political parties and institutions to interfere with the Nov. 8 elections. While the U.S. government had blamed China, Iran and North Korea in previous cyberattacks, the charge against Russia marked the first time Washington had said an attack meddled directly with governance.

“We see what seem to be disruptive attacks, where they don’t seem to care if they are detected or they want to be detected,” said Adam Segal, an expert on emerging technologies at the Council on Foreign Relations, a research center.

One cybersecurity researcher suggested that Russia may be pleased to have the veil ripped off some of its secret cyber activities.

“Moscow probably responded to the statement in a positive sense. This shows that Russia is a capable state,” said Laura Galante, an expert on Russian cyber capabilities and director of intelligence at FireEye, a Milpitas, California, company that is one of the fastest-growing U.S. cybersecurity firms.

The group that cyber forensic specialists say is behind the TV5Monde attack has been dubbed APT28, or Fancy Bear, a Russian hacking group that has targeted European security organizations, media and specific journalists. A different and more sophisticated hacking group, called APT29, or Cozy Bear, has its origins in another branch of Russian intelligence, they say.

Fancy Bear is believed to have hacked into the Democratic National Committee computers earlier this year.

Bigot told the BBC that the hacking team had first penetrated his network’s computers on Jan. 23, 2015, then created tailored malicious software to destroy specific encoder systems and hardware deployed by the network.

Custom-designed software able to destroy physical systems is the hallmark of cyber teams sponsored by nations such as the United States, Israel, Russia and China.

The attackers defaced the TV5Monde website and placed an image of a disguised jihadist with a black-and-white checked keffiyah and the words “Cyber Caliphate,” a group set up by the Islamic State.

“We saw this as the first foray into an active false flag operation,” Galante said, using the espionage term for one side in a conflict disguising itself as a different party. “This was not long after the Charlie Hebdo shooting in Paris, and it served as a laboratory.”

Galante, who previously held posts in the State and Defense departments, said Russian President Vladimir Putin sought to regain glory for a powerful Russia and that the state-backed hacking teams sought to cause political damage and rifts between Western countries that might stymie Russian interests.

A cyber forensics expert based in Berlin, Kimberly Zenz, said there was confirmed Russian presence on the French network’s system.

“APT28 software (a version of Sofacy/Pawn Storm) does appear to have definitely been active on TV5Monde networks,” she said in an email, noting that the attribution to Russian hackers is not yet ironclad.

She noted that news of the hack was far more sedate when it occurred.

“Now, a year later, when the political situation has changed, it is covered again with a different tone and level of concern. In hindsight the TV5Monde could be viewed as an early escalation in the Western information space and therefore worthy of revisiting with greater alarm, but the facts of the actual attack remain the same,” Zenz said.


Russia views cyber conflict in a different light from the West, she said, seeing a realm of information warfare “that encompasses online attacks, online attacks with a kinetic-real life result, communications and, most relevant here, efforts to control and create narratives.”

Pressure will build to establish global rules as economic and political sabotage in the digital realm increases in magnitude, Segal said.

“It is unclear if an attack causes widespread economic disruption how a state will respond,” said Segal, author of “The Hacked World Order,” a book released earlier this year. “You want to have states have some sense of where the red lines are.”


©2016 McClatchy Washington Bureau

Visit the McClatchy Washington Bureau at www.mcclatchydc.com

Distributed by Tribune Content Agency, LLC.

from around the web