Why Kremlin-backed Russian hackers blamed Isis for cyberattack on TV5 Monde

At 10pm on 8 April 2015 the millions of viewers watching the 11 channels operated by French TV station TV5 Monde saw their screens go blank as hackers disrupted broadcast for three hours. They also brought the station's internal systems to its knees and took control of the social media accounts and websites associated with the station.

The hackers posted pro-Islamic State (Isis) material on the websites and social media accounts, leading everyone to inevitably pin the blame on the Islamic extremist organisation.

The hack was specifically blamed on the Cyber Caliphate, a mysterious group of hackers which has links to Isis, with the group even publishing details of the attack on one of its websites along with the reasons for the attack.

The problem is that this was not the work of the IS hacking wing but was in fact the work of a group of highly-skilled Russian hackers with deep links to the Kremlin.

Pawn Storm

APT28 is a group of highly-skilled hackers that was uncovered at the end of 2014 by security company FireEye which explicitly linked the group's activities to Vladimir Putin's government in Moscow.

Another security company, Trend Micro has dubbed the group Pawn Storm and linked them to on-going targeted attacks against government, media and military agencies in the United States, Pakistan, and Europe using a variety of attack vectors including spearphishing and watering hole attacks.

Following an investigation into the attack on TV5 Monde, the French cybersecurity agency turned its attention towards Moscow, and FireEye has uncovered evidence which seems to back up this suspicion.

FireEye discovered that the Cyber Caliphate website where the IS-linked group claimed responsibility for the attack was hosted on the same IP block as other APT28 infrastructure, and used the same name server and registrar that FireEye has seen APT28 use in the past.

FireEye's report from last October details the work of a team of "skilled Russian developers and operators" which has been collecting information from defence and geopolitical intelligence targets, including the Republic of Georgia, Eastern European governments and militaries, and European security organisations - all areas which FireEye says are of interest to the Russian government.

Professional Russian trolls

So why has a group which has been dedicated to intelligence pretended to be IS hackers and knocked a French TV station off air?

The answer lies in the fact that the Russian government operates a highly organised, well-resourced and effective professional trolling operation.

FireEye says: "[We] suspect that that this activity aligns with Russia's institutionalised systematic "trolling" - devoting substantive resources to full-time staff who plant comments and content online that is often disruptive, and always favourable to President Putin."

Speaking to IBTimes UK, Richard Turner from FireEye said that trying to discern the reason behind the attack was difficult and "only the perpetrators of the crime known the motivation" but he did posit some ideas:

"Maybe it was to test out a capability to see if they could take a broadcaster off air, maybe it was to try and create something in the news to move the news agenda on."

The idea that APT28 carried out this attack as some kind of trolling exercise is given credence by a report in the New York Times from earlier this month entitled The Agency, which details an army of well-paid Russian trolls based in St Petersburg whose only purpose it seems is to create havoc on the internet.

Adrian Chen's fascinating report details how these cyber-soldiers have caused panic in the US by falsely claiming toxic chemical leaks had happened backed up by a widespread social media campaign and even a video purporting to show the incident. The attack was being claimed by IS on this YouTube video.

The problem of attribution

While there is no evidence to link APT28 with the trolling group known as the Internet Research Agency, their motivations appear to have many similarities.

However, the attack on TV5 Monde is not that cut and dry. While FireEye has linked the attack to the Kremlin-backed group, Trend Micro, looking at evidence supplied by the French national cyber security agency, suggests that the attack may well have been carried out by IS - or someone linked to it - but using the infrastructure belonging to APT28 or Pawn Storm.

"Perhaps the Pawn Storm group gave attack relevant data to a third party, directly or indirectly to Islamic hacktivists." However it adds that this scenario is "highly unlikely" as the group has been seen to be actively targeting Chechen separatists and Islamic extremists in former Yugoslavia.

When IBTimes UK put this scenario to Turner, he said that because FireEye does not know the identities of those involved in APT28, it is very difficult to say if "it is someone from Russia, or someone using the Russian organisation's infrastructure".

Looking at this topic more broadly, Turner did say that attacks like this "were the new normal" and that groups which have the capabilities to disrupt businesses in this way are absolutely likely to use their infrastructure for political or financial gain.