On Wednesday April 8, 2015 in France, the nature of critical infrastructure attacks changed for good.
From 10 PM that evening until 1 AM Thursday morning local time, TV5Monde, one of France’s largest global television networks was brought fully offline by a cyberattack. The scope of the attack was unprecedented. Attackers were able to:
Any one of these actions alone would qualify as a major cybersecurity incident. To have all of these actions occur as part of a synchronized attack puts this incident in a whole new category and takes critical infrastructure attacks to a another level.
This chilling fact is reinforced in that this doesn’t appear to be the work of state-sponsored threat actors. This incident can most likely be traced to non-state threat actors with geopolitical or terrorist goals (similar to what we outlined in our recent Operation Arid Viper report).
While complete details are still uncertain, previous attacks such as Arid Viper and Sony (another communications entity that suffered a similar fate) demonstrate that phishing and spear-phishing are very likely to blame. This is supported by our findings in a recent survey of critical infrastructure attacks in the Americas with the Organization of American States (OAS). Research revealed that phishing was the number one attack method against critical infrastructure with 71 percent of respondents saying they’d experienced such attacks.
What is most significant about this event is the fact that it is a cyberattack against critical infrastructure that impacted and affected regular people. In short—this is the first critical infrastructure attack to play out like those you see in thriller or disaster movies.
TV5Monde managed to regain control of their network and operations by about 2AM, about four hours after the attack began. As of this writing, they have managed to maintain control for more than 24 hours. At this point, the attack appears to be over.
But the ramifications are only now starting to emerge as we understand what happened and what it means.
First, this demonstrates that it’s not just the big states with tremendous resources that can execute devastating attacks. Sophisticated techniques are being adopted by non-state activists and cybercriminals as well. We’ve known this for some time, but this shows how true (and damaging) that can be.
Second, this attack shows that critical infrastructure attacks impacting the general populace are no longer the stuff of fiction or security professionals’ worst case scenarios—they’re now a reality and very much in play.
Finally, it highlights that everyone needs to take targeted attacks seriously and take appropriate measures to counter them. Using network-based protections to detect breaches and protect against intrusions, such as Trend Micro’s Deep Discovery is increasingly a must-have, not a luxury.
Fortunately, as far as we know, there was no significant damage, injury or loss of life from this attack. But now the chances of those happening because of a cyberattack are much more real. The TV5Monde attack should serve as a “wake-up call” to compel people to understand that threats to critical infrastructure are not fantasy. There needs to be a concerted effort among policymakers and corporate leadership to take this situation seriously, move quickly, and invest now to better secure these networks before the next big attack comes.
Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.