{ "id": "913ba19b-e10c-426f-bf22-cb38385b1923", "created_at": "2026-04-06T00:06:37.048046Z", "updated_at": "2026-04-10T13:12:54.820961Z", "deleted_at": null, "sha1_hash": "fe70391333b519ab91f64353d1662634a72fe299", "title": "How France's TV5 was almost destroyed by 'Russian hackers'", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2916959, "plain_text": "How France's TV5 was almost destroyed by 'Russian hackers'\r\nBy Gordon Corera\r\nPublished: 2016-10-10 · Archived: 2026-04-05 15:14:02 UTC\r\nImage source, Getty Images\r\nImage caption,\r\nTV5Monde's TV station, website and social media accounts were all hit in April 2015\r\nByGordon Corera\r\nSecurity correspondent, BBC News\r\nA powerful cyber-attack came close to destroying a French TV network, its director-general has told the\r\nBBC.\r\nTV5Monde was taken off air in April 2015. A group calling itself the Cyber Caliphate, linked to so-called Islamic\r\nState, first claimed responsibility.\r\nBut an investigation now suggests the attack was in fact carried out by a group of Russian hackers.\r\nThe attack used highly targeted malicious software to destroy the TV network's systems.\r\nhttps://www.bbc.com/news/technology-37590375\r\nPage 1 of 7\n\nImage source, Getty Images\r\nImage caption,\r\nYves Bigot is the director-general of TV5Monde\r\nCorrupted data\r\nWednesday 8 April was a big day for Yves Bigot, the director-general of TV5Monde.\r\nHis network, which broadcasts around the world, had just launched its latest channel. French ministers had been in\r\nattendance at the Paris headquarters.\r\nThat evening Mr Bigot went for dinner to celebrate with a counterpart from Radio Canada.\r\nJust as they were being served their appetisers at 20:40 local time, a flood of texts and calls informed him that all\r\n12 channels had gone off air.\r\n\"It's the worst thing that can happen to you in television,\" Mr Bigot told me in his Paris office.\r\nIt quickly became clear that the network had been subject to a serious cyber-attack.\r\n\"We were a couple of hours from having the whole station gone for good.\"\r\nhttps://www.bbc.com/news/technology-37590375\r\nPage 2 of 7\n\nImage source, Tv5monde\r\nImage caption,\r\nScreens went blank in the foyer of TV5Monde\r\nIt was a race against time - more systems were corrupted with every passing minute. Any substantial delay would\r\nhave led satellite distribution channels to cancel their contracts, placing the entire company in jeopardy.\r\n\"We were saved from total destruction by the fact we had launched the channel that day and the technicians were\r\nthere,\" said Mr Bigot.\r\n\"One of them was able to locate the very machine where the attack was taking place and he was able to cut out\r\nthis machine from the internet and it stopped the attack.\"\r\nAt 05:25 local time, one channel was restored. Others followed later that morning.\r\n\"We owe a lot to the engineer who unplugged that particular machine. He is a hero here,\" Mr Bigot said.\r\nBespoke attack\r\nThe attack was far more sophisticated and targeted than reported at the time. The perpetrators had first penetrated\r\nthe network on 23 January.\r\nThey carried out reconnaissance of TV5Monde to understand the way in which it broadcast its signals. They then\r\nfabricated bespoke malicious software to corrupt and destroy the internet-connected hardware that controlled the\r\nTV station's operations - such as the encoder systems used to transmit programmes.\r\nhttps://www.bbc.com/news/technology-37590375\r\nPage 3 of 7\n\nImage source, Getty Images\r\nImage caption,\r\nTwelve TV5Monde channels were taken off air\r\nThe attackers used seven different points of entry. Not all of them were part of TV5Monde or in France. In one\r\ncase, a company based in the Netherlands was targeted because it supplied the remote controlled cameras used in\r\nTV5's studios.\r\nWho was responsible?\r\nAt 20:40 local time - when the first calls were made - the people in charge of digital content at the broadcaster told\r\nMr Bigot that messages had been posted on the channel's Twitter and Facebook pages.\r\nThe hackers said they were from a group calling themselves the Cyber Caliphate, and made threats against France.\r\nIt was only a few months since the Charlie Hebdo attacks and it seemed this could have been a follow-up strike by\r\nso-called Islamic State (IS).\r\nhttps://www.bbc.com/news/technology-37590375\r\nPage 4 of 7\n\nImage source, Tv5monde\r\nImage caption,\r\nThe TV5Monde website was defaced\r\nBut as the investigation by French authorities began, a different picture began to emerge.\r\nFrance's cyber-agency told Mr Bigot to be careful about linking the incident directly to IS - instead he was advised\r\nto say only that the messages claimed to be from IS.\r\nThe investigators had come to believe that the attackers had used the jihadist posts to try to cover their tracks.\r\nMr Bigot was later told evidence had been found that his network had been attacked by a group of Russian\r\nhackers, who are known as APT 28.\r\nMysterious motive\r\n\"I have absolutely no idea,\" said Mr Bigot, when I asked why TV5Monde had been targeted.\r\nHe explained that the investigators had only been able to prove two things.\r\nFirstly, that the attack was designed to destroy the channel, and secondly, that it was linked to APT 28.\r\n\"There are two things that the investigation won't probably be able to achieve,\" he added.\r\n\"The first one is why us - why TV5Monde?\r\n\"And the second one is: Who gave the order and the money to that Russian group of hackers to actually do it?\"\r\nDestructive intent\r\nIt's not uncommon for cyber-attackers to enter a target's network to look for information.\r\nhttps://www.bbc.com/news/technology-37590375\r\nPage 5 of 7\n\nBut what happened to TV5 was not espionage - the aim was destruction. And that is indicative of a new trend:\r\nattacks with physical-world consequences.\r\nArguably, the pioneering state-backed attack of this type was Stuxnet.\r\nThis was carried out - it is widely believed - by the US and Israel against Iran's nuclear programme and involved\r\ndamaging the centrifuge programme at Natanz.\r\nMore recently, a power station in Ukraine was switched off by cyber-attackers.\r\nThe TV5 attack fits into this pattern of highly-targeted attacks, rather than the kind of general criminal activity\r\ntypically seen on the web.\r\nThe issue as to why Russian hackers targeted the company is one that has occupied intelligence analysts in the UK\r\nand US, as well as France.\r\nIn London, the conclusion was that it was most likely an attempt to test forms of cyber-weaponry as part of an\r\nincreasingly aggressive posture.\r\nDangerous precedent\r\nThe impact on TV5 was enormous.\r\nIn the immediate aftermath, staff had to return to using fax machines as they could not send emails.\r\n\"We had to wait for months and months before we reconnected to the internet,\" recalled Mr Bigot.\r\nThe financial cost was €5m ($5.6m; £4.5m) in the first year, followed by over €3m ($3.4m; £2.7m) every\r\nfollowing year for new protection.\r\nBut the biggest challenge has been to the way the company works. Every employee has had to change their\r\nbehaviour.\r\nSpecial authentication procedures are needed to check email from abroad, flash drives have to be tested before\r\nbeing inserted.\r\nFor a media company that exists by moving material in and out of its systems, the costs in efficiency have been\r\nreal.\r\n\"We never will be as we were before,\" said Mr Bigot. \"It is too dangerous.\"\r\nMore on this story\r\nRelated internet links\r\nhttps://www.bbc.com/news/technology-37590375\r\nPage 6 of 7\n\nThe BBC is not responsible for the content of external sites.\r\nSource: https://www.bbc.com/news/technology-37590375\r\nhttps://www.bbc.com/news/technology-37590375\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://www.bbc.com/news/technology-37590375" ], "report_names": [ "technology-37590375" ], "threat_actors": [ { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433997, "ts_updated_at": 1775826774, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fe70391333b519ab91f64353d1662634a72fe299.pdf", "text": "https://archive.orkl.eu/fe70391333b519ab91f64353d1662634a72fe299.txt", "img": "https://archive.orkl.eu/fe70391333b519ab91f64353d1662634a72fe299.jpg" } }