The TV5Monde Attack explained by Trend Micro Luxembourg

On Wednesday April 8, 2015 in France, the nature of critical infrastructure attacks changed for good. From 10 PM that evening until 1 AM Thursday morning local time, TV5Monde, one of France’s largest global television networks was brought fully offline by a cyberattack.

April 15, 2015

On Wednesday April 8, 2015 in France, the nature of critical infrastructure attacks changed for good. From 10 PM that evening until 1 AM Thursday morning local time, TV5Monde, one of France’s largest global television networks was brought fully offline by a cyberattack.

The scope of the attack was unprecedented. Attackers were able to:

  • Completely disrupt broadcasting on all 11 of TV5Monde’s channels.
  • Completely shut down TV5Monde’s internal network.
  • Take control of TV5Monde’s website and social media accounts.
  • Replace content on the website with pro-ISIS statements.
  • Post information on social media accounts purporting to be the names and personal information of the relatives of French soldiers involved in operations against ISIS.

Massive cyber attack

The massive cyber attack that hit the French TV5Monde television network this past April 9, according to reports, began at approximately 10:00 P.M. local time (4:00 P.M. Eastern time) , when 11 of their channels went off the air. In addition to this, TV5Monde’s website, company email, as well as their social media outlets came under attack. The network’s Facebook page was used to post propaganda messages allegedly from the Islamic State (ISIS). One of the network’s Twitter accounts was also accessed and posted messages against the United States and France, as well as issued threats to families of French soldiers. Copies of French soldiers’ IDs and passports were also published.

Frédéric Dohen, territory manager Luxemburg chez Trend Micro: “It seems that the access would have been via a phishing (email /social engineering). For example, an apparently legitimate e-mail, from say the TV5 IT department, could have lured TV5 employees into disclosing their username and password credentials; or downloading malicious content from a website/URL embedded in that email. The captured credentials could then be used to gain remote access to the TV5 network. When this type of compromise does occur the corporate firewall – no matter how well it has been certified – should identify and prevent it. But it looks like TV5 could have been breached several months ago, with hackers moving around the network stealthily compromising assets (servers, systems, data) and gateway connections, such as access to the broadcast network, and ultimately breaking into the signal transmission servers. Then these captured details could have been used to access web properties such as the Facebook and Twitter pages.

This attack comes as a wakeup call for any business to the dangers that cyber threat actors pose. If a company wants to mitigate the risk of this type of attack there are several actions they must undertake to stay safe. Businesses must educate their users to distinguish between legitimate and potentially malicious content – emails, URLs etc. Members of staff should also never open e-mail attachments unless they are expecting them. Moreover, businesses need to keep their list of blocked malware related websites, and their list of safe sites, up to date. Companies must ensure that users update their password with a suitable strength option and avoid visiting untrusted sites which could re-direct them to malware. Privileges and access to sensitive computers and data must be managed and software patches, AV files and engines must be kept up to date. If this simple safety housekeeping isn’t performed – a company could end up in a position similar to TV5. Organizations need more visibility across their networks in order to improve their situational awareness of potential compromise.  These attackers will laterally move around the network seeking valuable data or other systems to compromise.”

Cyberattack impacts and affects regular people

What is most significant about this event is the fact that it is a cyberattack against critical infrastructure that impacted and affected regular people. In short—this is the first critical infrastructure attack to play out like those you see in thriller or disaster movies.

TV5Monde managed to regain control of their network and operations by about 2AM, about four hours after the attack began. As of this writing, they have managed to maintain control for more than 24 hours. At this point, the attack appears to be over.

But the ramifications are only now starting to emerge as we understand what happened and what it means. First, this demonstrates that it’s not just the big states with tremendous resources that can execute devastating attacks. Sophisticated techniques are being adopted by non-state activists and cybercriminals as well. We’ve known this for some time, but this shows how true (and damaging) that can be.

Second, this attack shows that critical infrastructure attacks impacting the general populace are no longer the stuff of fiction or security professionals’ worst case scenarios—they’re now a reality and very much in play.

Finally, it highlights that everyone needs to take targeted attacks seriously and take appropriate measures to counter them. Using network-based protections to detect breaches and protect against intrusions, such as Trend Micro’s Deep Discovery is increasingly a must-have, not a luxury.

Fortunately, as far as we know, there was no significant damage, injury or loss of life from this attack. But now the chances of those happening because of a cyberattack are much more real. The TV5Monde attack should serve as a “wake-up call” to compel people to understand that threats to critical infrastructure are not fantasy. There needs to be a concerted effort among policymakers and corporate leadership to take this situation seriously, move quickly, and invest now to better secure these networks before the next big attack comes.

Watch video

In the same category