All 12 channels France’s TV5 Monde were taken off the air one night in April 2015. The company had just launched a new channel that day and were out celebrating when a flood of text messages told the director-general that all 12 stations had gone dark.
Attackers, claimed to be from the Cyber Caliphate. Since this occurred only a few months after the Charlie Hebdo attack, it certainly could be a follow on attack from Daesh (aka isis).
However, as investigations continued, another possible attacker appeared.
In this particular case, as we saw in the Sony attack, the Sands Casino attack, Saudi Aramco and others, the purpose was destruction, not theft of information. They did a pretty good job of it.
What was not clear was why TV5 Monde was selected for this special treatment. The attackers didn’t indicate that they had done anything wrong.
The good news was that since they had just brought a new channel online that day, technicians were still at the company offices. They were able to figure out what server was in charge of the attack and unplug it.
While unplugging this server stopped the attack, it didn’t bring the TV feeds back on line. Given that the goal of the attackers was to destroy and without subtlety, they destroyed software and damaged equipment.
From 8:40PM that evening until 5:25 AM the next day, those 12 channels were dark. At 5:25 AM they were able to get one channel back on the air.
The director-general of TV5 Monde said that had they not gotten those feeds back online, the satellite distribution customers, which is most of their revenue, might have cancelled their contracts, putting the existence of the company in jeopardy. The rest of the channels did not come back until later that day.
Much later French investigators linked the attack to the Russian hacker group APT28.
To this day, no one knows why TV5 Monde was targeted.
One theory is that it was a test run to see how much damage they could do to an organization and TV5 Monde just happened to be the crash test dummy.
The attackers had been inside TV5 Monde’s network for more than 90 days doing reconnaissance.
Once they had collected enough information, they were able to construct a bespoke (custom) attack to do as much damage as possible.
Certainly we have seen destructive attacks before, such as the ones mentioned above, but we also have seen more cyber-physical attacks such as the power blackout in Ukraine last year, the German steel mill which sustained millions of dollars of damage and the recent incursions into nuclear plants in the United States.
This company survived, even though they had to spend $5 million to repair things and incur additional costs of $3 million a year forever due to new security measures put in place.
The attack route, not surprisingly, was the Internet. As more and more stuff gets connected – the remote control TV cameras were controlled out the Netherlands for example – the ease of attack becomes much more of a known art. As hackers conduct test runs, such as the attack on TV5 Monde is thought to have been, they become more confident of their ability to do damage going forward.
The real question is, as your company becomes more and more intertwined with the Internet, whether your organization is vulnerable to an attack – even if all you are is a distraction or collateral damage. And if you are vulnerable, will you be able to recover and survive? While the Sony attack was done as a revenge attack, we are seeing other attacks which are just targets of opportunity.
The good news is that TV5 Monde survived, but they were completely disconnected from the Internet for months. Could your company survive for months without being connected to the Internet? In their case, once they were reconnected to the Internet, that conversation that many companies have – about security or convenience – became much more clear. Now it was convenience or survival and survival won. Every employee has had to permanently change the way that they operate. Forever!
Information for this post came from BBC.