A powerful cyber-attack came close to destroying a French TV network, TV5Monde was taken off air in April 2015. A group calling itself the Cyber Caliphate, linked to so-called Islamic State, first claimed responsibility.
TV5Monde was taken off air in April 2015. A group calling itself the Cyber Caliphate, linked to so-called Islamic State, first claimed responsibility,But an investigation now suggests the attack was in fact carried out by a group of Russian hackers.The attack used highly targeted malicious software to destroy the TV network’s systems.
Wednesday 8 April was a big day for Yves Bigot, the director-general of TV5Monde.
His network, which broadcasts around the world, had just launched its latest channel. French ministers had been in attendance at the Paris headquarters.
That evening Mr Bigot went for dinner to celebrate with a counterpart from Radio Canada.
Just as they were being served their appetisers at 20:40 local time, a flood of texts and calls informed him that all 12 channels had gone off air.
“It’s the worst thing that can happen to you in television,” Mr Bigot told me in his Paris office.
It quickly became clear that the network had been subject to a serious cyber-attack.
“We were a couple of hours from having the whole station gone for good.”
But as the investigation by French authorities began, a different picture began to emerge.
France’s cyber-agency told Mr Bigot to be careful about linking the incident directly to IS – instead he was advised to say only that the messages claimed to be from IS.
The investigators had come to believe that the attackers had used the jihadist posts to try to cover their tracks.
Mr Bigot was later told evidence had been found that his network had been attacked by a group of Russian hackers, who are known as APT 28.
“I have absolutely no idea,” said Mr Bigot, when I asked why TV5Monde had been targeted.
He explained that the investigators had only been able to prove two things.
Firstly, that the attack was designed to destroy the channel, and secondly, that it was linked to APT 28.
“There are two things that the investigation won’t probably be able to achieve,” he added.
“The first one is why us – why TV5Monde?
“And the second one is: Who gave the order and the money to that Russian group of hackers to actually do it?”
It’s not uncommon for cyber-attackers to enter a target’s network to look for information.
But what happened to TV5 was not espionage – the aim was destruction. And that is indicative of a new trend: attacks with physical-world consequences.
Arguably, the pioneering state-backed attack of this type was Stuxnet.
This was carried out – it is widely believed – by the US and Israel against Iran’s nuclear programme and involved damaging the centrifuge programme at Natanz.
More recently, a power station in Ukraine was switched off by cyber-attackers.
The TV5 attack fits into this pattern of highly-targeted attacks, rather than the kind of general criminal activity typically seen on the web.
The issue as to why Russian hackers targeted the company is one that has occupied intelligence analysts in the UK and US, as well as France.
In London, the conclusion was that it was most likely an attempt to test forms of cyber-weaponry as part of an increasingly aggressive posture.
The impact on TV5 was enormous.
In the immediate aftermath, staff had to return to using fax machines as they could not send emails.
“We had to wait for months and months before we reconnected to the internet,” recalled Mr Bigot.
The financial cost was €5m ($5.6m; £4.5m) in the first year, followed by over €3m ($3.4m; £2.7m) every following year for new protection.
But the biggest challenge has been to the way the company works. Every employee has had to change their behaviour.
Special authentication procedures are needed to check email from abroad, flash drives have to be tested before being inserted.
For a media company that exists by moving material in and out of its systems, the costs in efficiency have been real.
“We never will be as we were before,” said Mr Bigot. “It is too dangerous.”