Russians posed as IS hackers, threatened US military wives
PA few weeks after the spouses were threatened, on April 9, 2015, the signal of French broadcaster TV5 Monde went dead.
The station’s network of routers and switches had been knocked out and its internal messaging system disabled. Pasted across the station’s website and Facebook page was the keffiyeh-clad logo of CyberCaliphate.
The cyberattack shocked France, coming on the heels of jihadist massacres at the satirical magazine Charlie Hebdo and a kosher supermarket that left 17 dead. French leaders decried what they saw as another blow to the country’s media. Interior Minister Bernard Cazeneuve said evidence suggested the broadcaster was the victim of an act of terror.
But Guillaume Poupard, the chief of France’s cybersecurity agency, pointedly declined to endorse the minister’s comments when quizzed about them the day after the hack.
“We should be very prudent about the origin of the attack,” he told French radio. “We might be surprised.”
Government experts poring over the station’s stricken servers eventually vindicated Poupard’s caution, finding evidence they said pointed not to the Middle East but to Moscow.
Speaking to the AP last year, Poupard said the attack “resembles a lot what we call collectively APT28.”
Russian officials in Washington and in Moscow did not respond to questions seeking comment. The Kremlin has repeatedly denied masterminding hacks against Western targets.
Proof that the military wives were targeted by Russian hackers is laid out in a digital hit list provided to the AP by the cybersecurity company Secureworks last year. The AP has previously used the list of 4,700 Gmail addresses to outline the group’s espionage campaign against journalists , defense contractors and U.S. officials . More recent AP research has found that Fancy Bear, which Secureworks dubs “Iron Twilight,” was actively trying to break into the military wives’ mailboxes around the time that CyberCaliphate struck.
Lee Foster, a manager with cybersecurity company FireEye, said the repeated overlap between Russian hackers and CyberCaliphate made it all but certain that the groups were linked.
“Just think of your basic probabilities,” he said. CyberCaliphate faded from view after the TV5 Monde hack, but the over-the-top threats issued by the gang of make-believe militants found an echo in the anti-Muslim sentiment whipped up by a St. Petersburg troll farm — an organization whose operations were laid bare by a U.S. special prosecutor’s indictment earlier this year.
The trolls — Russian employees paid to seed American social media with disinformation — often hyped the threat of Islamic State militants to the United States. A few months before CyberCaliphate first won attention by hijacking various media organizations’ Twitter accounts, for example, the trolls were spreading false rumors about an Islamic State attack in Louisiana and a counterfeit video appearing to show an American soldier firing into a Quran .
The AP has found no link between CyberCaliphate and the St. Petersburg trolls, but their aims appeared to be the same: keep tension at a boil and radical Islam in the headlines.
By that measure, CyberCaliphate’s targeting of media outlets like TV5 Monde and the military spouses succeeded handily.
Ricketts, the author, said that by planting threats with some of the most vocal members of the military community, CyberCaliphate guaranteed maximum press coverage.
“Not only did we play right into their hands by freaking out, but the media played right into it,” she said. “We reacted in a way that was probably exactly what they were hoping for.”