Yesterday evening French magazine L’Express published a report linking an attack against TV5 Monde very firmly to the Russian state. The attack, which knocked 11 of its global channels off air for a period of time and resulted in a compromised website and Facebook page, took place back in April.
At the time when the attack took place, a group calling itself CyberCaliphate immediately took responsibility for the hack and went on to publish details purportedly of serving French military personnel involved in the struggle against Islamic State or ISIS. The attribution at the time seems simple and immediate; Islamic Extremist motivated hacktivism.
L’Express approached Trend Micro with certain indicators of compromise which had been shared with 43 media organisations by the Agence nationale de la sécurité des systèmes d’information (ANSSI) in France, with a view to uncovering more about the attacker or the motivations behind the attack. These indicators very definitely evidence an infestation of Sednit (also known as Sofacy) malware, associated with the ongoing targeted attack campaigns by the Pawn Storm operators (also referred to as APT28). What they did not do was to definitively link the stolen information or compromised accounts from the April attack to this Pawn Storm compromise. Neither is it possible to state with certainty that the two are *not* related.
Attribution in online crime is complex, more so when there may be nation-state involvement.
Trend Micro’s assessment of the current possibilities, with reference to the facts as they stand today leaves us with three possibilities.
While the false flag option is not entirely out of the question, it is at least somewhat out of character of previous operations of the Pawn Storm campaign.
My spider senses right now are tingling on option one. TV5 Monde, as media operation is a target entirely within the remit of the regular Pawn Storm operations and an infestation of Sednit malware there should perhaps not be a surprise at all. The fact that during the time of this Sednit compromise, they were also targeted by Islamic extremist hacktivists, given the contemporary news and political environment in France is perhaps also not surprising.
Attribution online is always complex, sometimes though things can be entirely as they seem.
Please add your thoughts in the comments below or follow me on Twitter; @rik_ferguson.