Cyber security Blank screen

The victim of a massive cyber attack that very nearly brought it to its knees, international French-language television network TV5Monde has called on the services of Airbus Defence and Space to protect itself from further attacks.

Hacked

The TV5Monde team (from left to right): technical manager Nicolas Loriot, project manager Stéphane Grasset, commercial manager Pierre Balloteau, and François Lavaste, head of cyber security

At a little after 8 o’clock on the evening of 8 April 2015, Yves Bigot, the director general of TV5Monde, took a seat in a Paris restaurant close to the Arc de Triomphe. He smiled as he raised a glass to his lips, and not without good reason. He had, after all, just overseen the launch of a new channel seeking to promote the French art of living in the Arab world and the Asia-Pacific region.

It was then that his mobile phone suddenly began to buzz with messages, emails and calls, all of them delivering the same disconcerting message: every single TV5Monde channel was either off air or showing a blank screen. To make matters worse, the network’s website, Facebook and Twitter accounts had also been hacked. A flagship of the Francophone world and available in 291 million homes in more than 200 countries, TV5Monde had ceased to function.

Figures about how affect cyber attacks

On its website appeared a sinister message, signed by ISIS and making all sorts of threats.  “We later learned that it was all a ruse and the attack had been carried out by Russian hackers,” Bigot explains.

Rushing back to the network’s head office on Avenue de Wagram, he was relieved to find that, because of that day’s launch, the new station’s IT teams were still at their desks. They eventually managed to track down the computer that the hacker was using and eject it from the network, bringing an end to an attack that had lasted nearly
three hours.

The team protecting TV5Monde uses Airbus Defence and Space’s Keelback Net solution to detect suspicious activity and analyse attacks.

“We were lucky. If the attack had lasted longer, everything would have been destroyed: our equipment, all our stock, associated rights, contracts, you name it,” Bigot adds. “It would have cost in the region of 50 million euros rather than five million. And we would never have recovered from it – which was what the hackers were looking to achieve: they wanted to destroy us.”

Looking stern-faced, Bigot is sitting in his bright office, with its view of the Eiffel Tower. Alongside him is Pierre Balloteau, commercial manager of Airbus Defence Space’s cyber security department. The two of them cast their minds back to the attack, which was reminiscent in its aggressive intent of a similar one perpetrated on Sony Pictures in December 2014.

A crack in the door

An inside view of TV5 Monde’s cyber security control room

“There are three types of attacks, and they vary in nature according to the aims of the people behind them,” comments Balloteau, who went on to list them: cyber criminal attacks, which are very common and which aim to steal money; the theft of sensitive information (intellectual property, state-sponsored spying); and sabotage for the purpose of wreaking as much destruction as possible. “Unfortunately, this last type is becoming more and more frequent,” he warns.

TV5Monde’s 400 employees know only too well what such an attack entails. During the course of the subsequent investigation, they discovered just how vulnerable they were. Prepared with military-like precision, the attack began on 23 January. By sending a phishing email to the station’s entire staff, the hackers managed to penetrate the IT network, locate the servers without anyone knowing and start mapping everything. “It’s like a burglar going through your apartment,” Bigot explains. “That preparatory phase is typical, and it’s extremely difficult to detect,” Balloteau adds.

How Airbus Defence and Space protects its customers

One month later, the hackers found another way in, passing themselves off as a Netherlands-based service provider, whose servers operate the station’s cameras by remote means. “In gaining an understanding of the process, we realised just how difficult it is to protect yourself against these attacks,” Bigot says.

During the aftermath of the hack, the audiovisual group went through a period of major financial uncertainty. Would the five donor countries come to its aid? What would be the impact on its activities and its employees’ jobs? If the station was to bounce back quickly, it would have to rebuild its network and protect it.

Advised by the French National IT Systems Security Agency – the ANSSI – TV5Monde chose to partner with Airbus Defence and Space during the rebuilding phase. Airbus’ cyber security teams promptly installed the Keelback Net cyber sensor in the group’s network. Forming part of the company’s global security monitoring solution, Keelback Net offers a continuous detection service, ensuring early analysis of any unusual behaviour. In the event of any potentially suspicious activity, Airbus experts at Elancourt can advise their colleagues at TV5Monde straightaway.

No one is safe

In gaining an understanding of the process, we realised how difficult it is to protect yourself against these attacks.

Yves Bigot

“We ask them what’s happening, and if no one knows, then it’s a red alert. There’s an intrusion,” Balloteau explains. “The sensor allows our engineers to monitor the network in conjunction with their counterparts at Airbus,” Bigot adds. The experts at Airbus Defence and Space also carry out an in-depth investigation of the alerts raised by Keelback Net. The aim is to act as soon as hackers engage in the first phase of their operation.

As far as Bigot is concerned, the lessons are clear: no one is safe, and doing nothing is simply not an option. “We’ve created a world that is nice and open, but also extremely dangerous,” says the TV5Monde chief, who estimates that his group will have to invest seven to eight percent of its budget in protecting itself. “It’s tough news for everyone.”

Marion Bigot

Cyber breaches

COMPANY
& DATE

HOW THEY WERE ATTACKED

DATA LOST

COST

SUSPECTED

PERPETRATOR

JPMORGAN
CHASE

7/2014

Two-factor authentication not fully implemented

Names, addresses and phone numbers of 76 million household and seven million small business accounts

The company plans to spend 250 million USD a year on security

Three people were charged for the hack as part of a stock manipulation plot

SONY PICTURES ENTERTAINMENT

11/2014

Malware and lack of intrusion detection

E-mails, salary information, movie scripts, contracts and terabytes of other confidential data

41 million USD

North Korean regime, in reaction to its film ‘The Interview’, a comedy about a plot to assassinate North Korean leader Kim Jong-un

US OFFICE OF PERSONNEL MANAGEMENT

6/2015

Social-engineering attacks and lack of modern intrusion detection services

Names, birth dates, addresses, fingerprints and background information on around 21.5 million people

133 million USD just for credit monitoring services offered to victims

China-based hackers

ASHLEY
MADISON

7/2015

Unknown. Culprits cited weak passwords and internal security

Names, addresses, birth dates, phone numbers and credit card histories of 37 million users as well as the CEO’s emails

Unknown. The company faces numerous lawsuits.

A group that calls itself ‘Impact Team’

TALKTALK
TELECOM

10/2015

Malicious code and distributed denial-of-service attack

Names, addresses, birth dates and phone numbers of over 150,000 customers

Around 50 million USD

A teenager based in Northern Ireland

Exceptionally damaging hacks have recently hit organisations in all types of industries - entertainment, insurance, telecom just to name a few.

If you would like to receive a print copy of the magazine, you can subscribe to our distribution list by writing us at forum@airbus.com