cyberjihadists bring down TV5 Monde

cyberjihadists bring down TV5 Monde

Focus is the head of the Fellagas group, Tunisian pirates responsible for what Vice-Admiral Arnaud Coustillère, in charge of cyber defense at the Ministry of Defense had designated as "the biggest computer attack that a country has ever faced "

When we questioned him in February, Focus had made it clear to us and his group that he would continue to attack France. And more particularly against its media.

If defacing – modifying the home page of a site – is one of the group's specialties, control of a twitter account and the broadcasting system for programs on a television network is another.

Not that the Fellagas would not be able to, but because it does not correspond to their operating mode.

Nor the signature elsewhere. Colors used in the identities displayed on the pirate sites, all indicated that it was about another group of pirates.

To identify them, we had to go on their virtual tracks to the heart of pirate sites.


The TV5 hacking was carried out via a Java flaw. A flaw on a particular computer: that of the administrator of the social networks of the chain or a directly connected to the rgie.

This flaw allowed the sending of a virus in vbs format. Camouflaged under a false google identity, the crypto virus was scheduled to launch after five minutes of PC use.

Screen Shot 2015-04-08 at 3.53.25 PM

Her name ? isis…

Screen Shot 2015-04-08 at 3.51.28 PM

Isis is a worm which, once introduced into the TV5 network, continued to grow until it reached its target: the transmission server.

But before we get there, we need to explain how this dreaded virus got introduced on the faulty computer.

Not to make a hacker secret public, but because it concerns a tool used more and more in writing.

One of the oldest ways is by sending a fake email looking like a chain official. The user clicks and without knowing it installs a script on his PC.

A program that allows the hacker to take control of his computer, his webcam and … his passwords.

The daily Le Monde almost fell victim to this kind of attack last January.

Another way to do this is by sending a press release or electronic document. There too, on the document hides an html script which will then take control of the user's pc.

The third is the one that seems most likely to us.

It is for a hacker to steal a user's I.P. identity via Skype.

The maneuver is disconcerting in simplicity and speed. One of our sources did it in front of us, on one of our computers to illustrate it.

TV5 journalists like many other media use Skype. Including in their communications with certain jihadists.

It was likely during one of its recent sessions that the IP address was stolen and with it the identity of the chain network.

Back to the virus now.

We are less than 30 minutes after its launch.

While other viruses are installed on the network – our sources have identified three others including one in the form of an html script installed directly on the web page of TV5, and which, before its destruction by the technicians of the chain threatened any visitor to the site – isis made its way to the transmission server.

Where the program signal is converted from analog to digital before being sent to the broadcast satellite.

This dispatch center is the heart of TV5.

This is where its programs go to the world. This is the target of the operation.

But before revealing the goal, we must return to the perpetrators of the attack.

A complex attack, thinks and prepares for months.


Unsurprisingly, the hackers hid behind a VPN but despite all their precautions, did not manage to camouflage all their traces.

To identify them, our sources had to isolate the isis virus and then crack it in order to find the identity of its designer, its provenance and the identity of its distributor [s].

Two programs were used to create the virus: JRAT MAC and WINRAT.

The virus is obviously encrypted but once its protection breaks, it reveals, as we thought, its secrets.

In its data, our source discovers the port used to attack TV5, the MAC identity of the computer which will be the first infiltrator, the camouflage identity in order to escape the chain's anti-viruses, its programming …

More fun, we also learn that it was designed and propagated by a Windows 7 PC.

Finally, isis hides within it the identity of its designer and its hacker pseudonym.

His name NAJAF.

His nickname? JoHn.Dz

and more details