By Joseph Menn and Leigh Thomas
SAN FRANCISCO/PARIS, June 10 Russian hackers
linked to the Kremlin could be behind one of the biggest attacks
to date on televised communications, which knocked French
station TV5Monde off air in April, sources familiar with
France's inquiry said.
A French judicial source told Reuters that the investigators
are "leaning towards the lead of Russian hackers," confirming a
report in French magazine L'Express.
Hackers claiming to be supporters of Islamic State caused the
public station's 11 channels to temporarily go off air and
posted material on its social media feeds to protest against
French military action in Iraq.
But the judicial source said the theory that Islamist
militants were behind the cyber attack was no longer the main
lead in the investigation.
U.S. cybersecurity company FireEye, which has been assisting
French authorities in some cases, said on Wednesday that it
believed the attack came from a Russian group it suspects works
with the Russian executive branch. Relations between Paris and
Moscow have suffered over the crisis in Ukraine, leading France
to halt delivery of two helicopter carriers built for Russia.
Information about the TV5 attack was published on a website
branded as part of the "Cyber Caliphate," a reference to the
Islamic State.
But the site was hosted on the same block of Internet
Protocol addresses and used the same domain name server as the
group called APT28 by FireEye and Pawn Storm by Trend Micro,
another large security company.
"We suspect that this activity aligns with Russia's
institutionalized systematic `trolling' -devoting substantive
resources to fulltime staff who plant comments and content
online that is often disruptive, and always favorable to
President Putin" of Russia, FireEye said via email.
French authorities distributed a sample of malicious
software from machines at the TV network that both FireEye and
Trend Micro said originated with the Russian hacking group.
Trend Micro Vice President Rik Ferguson said it was possible
that both the Russians and true Islamic State sympathizers had
hacked the network, but the judicial source and FireEye
discounted the possibility, citing other evidence.
Code used in the attack had been typed on a Cyrillic
keyboard at times of day corresponding to working hours in St
Petersburg or Moscow, FireEye said.
Researchers have tied the Russian group to attacks on NATO
countries and on email of the White House and U.S. State
Department.
Though paid Russian Internet commenting operations have been
described in media reports for months, a story last week by the
New York Times associated one of the main operations, in St.
Petersburg, with disruptive fake news reports in the United
States. The story connected the group with dozens of
interconnecting hoax web pages, tweets and other false accounts
of a chemical plant explosion in Louisiana, among other
misinformation campaigns.
(Reporting by Chine Labbe and Joseph Menn; Writing by Leigh
Thomas; Editing by Mark Heinrich and Grant McCool)