How France’s TV5 was almost destroyed by ‘Russian hackers’
A powerful cyber-attack came close to destroying a French TV network, its director-general has said.
TV5Monde was taken off air in April 2015. A group calling itself the Cyber Caliphate, linked to socalled Islamic State, first claimed responsibility.
But an investigation now suggests the attack was in fact carried out by a group of Russian hackers.
The attack used highly targeted malicious software to destroy the TV network’s systems.
Wednesday 8 April was a big day for Yves Bigot, the directorgeneral of TV5Monde.
His network, which broadcasts around the world, had just launched its latest channel. French ministers had been in attendance at the Paris headquarters.
That evening Mr Bigot went for dinner to celebrate with a counterpart from Radio Canada.
Just as they were being served their appetisers at 8:40pm local time, a flood of texts and calls informed him that all 12 channels had gone off air.
“It’s the worst thing that can happen to you in television,” Mr Bigot saidin his Paris office.
It quickly became clear that the network had been subject to a serious cyber-attack.
“We were a couple of hours from having the whole station gone for good.”
It was a race against time - more systems were corrupted with every passing minute. Any substantial delay would have led satellite distribution channels to cancel their contracts, placing the entire company in jeopardy.
“We were saved from total destruction by the fact we had launched the channel that day and the technicians were there,” said Mr Bigot.
“One of them was able to locate the very machine where the attack was taking place and he was able to cut out this machine from the internet and it stopped the attack.”
At 05:25 local time, one channel was restored. Others followed later that morning.
“We owe a lot to the engineer who unplugged that particular machine. He is a hero here,” Mr Bigot said.
The attack was far more sophisticated and targeted than reported at the time. The perpetrators had first penetrated the network on 23 January.
They carried out reconnaissance of TV5Monde to understand the way in which it broadcast its signals. They then fabricated bespoke malicious software to corrupt and destroy the internetconnected hardware that controlled the TV station’s operations - such as the encoder systems used to transmit programmes.
The attackers used seven different points of entry. Not all of them were part of TV5Monde or in France. In one case, a company based in the Netherlands was targeted because it supplied the remote controlled cameras used in TV5’s studios.
At 8:40pm local time - when the first calls were made - the people in charge of digital content at the broadcaster told Mr Bigot that messages had been posted on the channel’s Twitter and Facebook pages.
The hackers said they were from a group calling themselves the Cyber Caliphate, and made threats against France. It was only a few months since the Charlie Hebdo attacks and it seemed this could have been a follow-up strike by so-called Islamic State.
But as the investigation by French authorities began, a different picture began to emerge.
France’s cyber-agency told Mr Bigot to be careful about linking the incident directly to IS - instead he was advised to say only that the messages claimed to be from IS.
The investigators had come to believe that the attackers had used the jihadist posts to try to cover their tracks.
Mr Bigot was later told evidence had been found that his network had been attacked by a group of Russian hackers, who are known as APT 28.
“I have absolutely no idea,” said Mr Bigot, when asked why TV5Monde had been targeted.
He explained that the investigators had only been able to prove two things.
Firstly, that the attack was designed to destroy the channel, and secondly, that it was linked to APT 28.
“There are two things that the investigation won’t probably be able to achieve,” he added.