French TV5Monde network cyber attack the latest in destructive trend in system intrusions

The cyber attack on French television network TV5Monde is the latest in a growing list of incursions intended to destroy data and IT systems

The cyber attack on French television network TV5Monde is the latest in a growing list of destructive incursions from a wide range of attackers.

Attackers supporting Islamic State managed to take the network’s 11 TV stations off air, and hijack its website and Facebook page on 8 April 2015.

The attackers used the network’s social media accounts to post threats against French troops, publishing documents purporting to be the ID cards and resumés of French soldiers involved in US-led anti-IS operations in Iraq and Syria.

Although it regained control of most of its sites in two hours, the TV network’s director general, Yves Bigot, told the media it could take days for the station to recover.

“We are no longer able to broadcast any of our channels. Our websites and social media sites are no longer under our control and are all displaying claims of responsibility by Islamic State,” he said.

Bigot reportedly said later that the TV network’s systems had been "severely damaged" by an "unprecedented attack".

Read more about cyber attacks

Cyber attacks destroy data and systems

The attack is significant because it highlights the risk of broadcasters switching to digital, online operations and the growing shift to more destructive attacks.

The attack came just one day after the Organization of American States (OAS) published a survey report saying that critical infrastructure organisations are commonly targeted in cyber attacks aimed at manipulating equipment – or destroying data, rather than stealing it.

To date, the Shamoon malware attack on Saudi Aramco in August 2012 and the computer-killing malware attack on Sony Pictures in November 2014 are the best-known cases of destructive cyber attacks, but the trend appears to be growing.

The attack on TV5Monde highlights the extremely sophisticated and powerful cyber attack tools now finding their way into the hands of non-state actors such as political activists and cyber criminals.

Even cyber criminals with low technical capabilities can now access malware code and techniques that would previously have been out of their reach, due to the emergence of the malware-as-a-service business model, according to Websense Security Labs principal security analyst Carl Leonard.

State hacking capabilities commoditised

Edward Parsons, senior manager at KPMG’s cyber security practice said that, until recently, the most effective attacks had been conducted by groups closely aligned to state powers, giving the examples of the recent attacks on US media outlets and financial institutions.

“Unfortunately the capabilities and infrastructure previously reserved for nation states and their proxies have been commoditised and made available to all in online criminal marketplaces,” he said.

According to Parsons, the disruption to broadcasts points in the TV5Monde attack is a concerning development. 

“We have seen similar tactics used in recent attacks against other media companies, where data theft has been coupled with material damage to servers and desktop computers. We may therefore see politically motivated cyber attacks become more damaging,” he said.

Organisations must understand threats

In the light of these recent developments, Parsons said companies need to protect themselves from similar incidents by treating corporate social media accounts with the same governance and protection as they would apply to any corporate account. 

“They must ensure that internet-facing services are patched regularly to remediate vulnerabilities that could be exploited in an attack. Furthermore, there needs to be a tried and tested response mechanism in place,” he said.

According to Leonard, it is only when organisations have a clear picture of everything going on, with the tools and capabilities that make cyber crime so easy for attackers, that they are in a position to secure the enterprise.

Despite the growing awareness of the kill chain model that analyses cyber attacks in seven key stages, to find ways to detect and disrupt each stage, he said organisations still tend to focus on point systems.

“But while these systems can be very good at identifying one particular aspect of a threat, there is a need for broader technologies to operate across the kill chain and raise the bar by putting obstacles at every stage of an attack,” said Leonard.

Authentication details on open display

No details have been released on how the attackers breached TV5Monde’s IT security, but some reports indicate that security at the company is lax.

A French TV interview with one of TV5Monde’s reporters suggested access details for the company’s social media networks were openly displayed on notes stuck up in offices, reports Ars Technica.

An investigation into the attack is underway and should reveal whether attackers exploited software vulnerabilities; if a failure of security controls and processes enabled the breach; or if it was the work of an insider.

Read more on Hackers and cybercrime prevention

Data Center
Data Management