Security researchers have found an apparent link between the malicious code used to attack France’s TV5Monde and an Iraqi program developer identified by the handle “Security.Najaf.”
The link, while it cannot be fully verified, might suggest that the massive cyberattack was indeed perpetrated by sympathizers of the Islamic State of Iraq and Syria (ISIS) as opposed to a copycat.
{mosads}TV5Monde, a French television network that broadcasts worldwide, was knocked off the air on Wednesday after hackers took control of 11 channels. The intruders, who posted images and propaganda supporting ISIS, also gained control of the network’s social media pages.
Experts said the attack reveals a new level of sophistication for ISIS-affiliated hackers, who typically employ rudimentary measures to deface websites. The TV5Monde attack might be the first time the group has successfully hacked a TV station.
Researchers with software maker Blue Coat analyzed a string of malware similar to the one purportedly used in the cyberattack, finding it contained greetings that appear linked to “Security.Najaf,” a “prolific poster in [online] forums.”
An online search for the handle turns up links in Arabic-language forums, as well as a seemingly abandoned Twitter feed identifying its owner with the phrase, “designer, programming hacker.” The Twitter account is baed in Najaf, Iraq.
While claiming no insider knowledge of the attack, Blue Coat’s researchers said the malware appears to be an adaption of the Visual Basic Script worm KJ_W0rm, a derivative of the NJ_W0rm.
“VBS worms based on NJ_W0rm and KJ_W0rm should by now be picked up by most [anti-virus] products, though it’s always a challenge to reliably detect text-based malware, because they are so easily modified,” the firm wrote in a blog post.
The group behind the attack called itself the CyberCaliphate, the same name used by hackers that broke into the Twitter feeds for the U.S. Central Command and Newsweek magazine earlier this year.
Meanwhile, French authorities denied that hackers released any classified army documents during their siege, as they had claimed.
The CyberCaliphate had posted documents on Facebook they said were the identification cards of people tied to French soldiers fighting ISIS. “None of these documents mention the identity of French soldiers or of their families,” the French defense ministry said in a statement.
The cyberattack follows a terrorist attack by Islamic militants left 20 dead in Paris in January.