Media under attack: what cyberattacks can teach us about securing the broadcast media sector

In 2015, a dozen TV5 Monde channels were switched to a black screen. Simultaneously, on TV5 Monde's social networks and websites, the threat actor group CyberCaliphate claimed they were responsible for the attack1. It is not uncommon for cyber-attackers to enter a target's network to look for information. But what happened to TV5 Monde was not espionage. The aim was destruction. This cyberattack marked the beginning of a new era for media cybersecurity.

Why media is a hot target for cyberattacks

The media and entertainment industry plays a vital role in forming public outlook and a national view, making it a significant target for cyberthreat actors, nation-states and hacktivists seeking visibility. Media houses command a significant soft power to retain and spread their influence by advocating their agenda, gathering public opinion and shaping it. They also maintain tons of raw reporting and information acquired from less-known sources.

Nation-state-sponsored threat actors may try to exfiltrate or destruct such content to expose or discourage certain publications or merely to evaluate what the organization knows about the issue and identify its sources.

TV5 Monde hack: a case study for media

TV5 Monde's cyberattack gives us a well-connected example of nation-states attacking a media house. Targeted malicious software was fabricated to corrupt and destroy the internet-connected hardware that controlled the TV station's operations. Threat actor group CyberCaliphate claimed responsibility, but later investigations revealed Russia's military intelligence group, the GRU, behind it, tying the knots to nation-state threat actors.

This attack showed that a cyberattack could have consequences in the physical world. It was an aggressive position of cyber-weaponry. It started more than two months before the actual execution, and the financial cost was $5.6 million to TV5 Monde initially, followed by over $3.4 million every following year for protection.

So how did it happen? One of the TV5 Monde multimedia servers had its remote desktop protocol (RDP) port exposed to the internet and was using the default username/password. It was classified as a dead-end, though. An investigation indicated that the hackers used a social engineering technique: after journalists interacted with a phishing email, hackers were able to penetrate the channel's network through a Trojan horse, spread a virus on the IT infrastructure and create accounts with administrator rights.

The attackers freely moved laterally in the network for more than two months and were not caught.

Lessons learned

Deploying end-to-end digital security protection programs is important, not just security technology.

Maintaining logs in a searchable form, for at least the recent months, and having real-time log monitoring could have proactively detected later stages wherein the attackers:

  1. Created their own admin-level account in Active Directory
  2. Gained access to multiple routers and switches, and overwrote the devices' firmware
  3. Accessed IT process documentation, which detailed how login and passwords were handled
  4. Compromised a subcontractor's account that allowed them to connect to the TV5Monde VPN

The media and entertainment industry plays a vital role in forming public outlook and a national view, making it a significant target for cyberthreat actors, nation-states and hacktivists seeking visibility.

Detecting abnormal connections within a network environment using data-based machine learning models can provide an edge to organizations while defending against such cyberattacks.

Social media and phishing: a devastating combination

While impersonation, data exfiltration, defacement and piracy are the main cyberthreats to the media industry, the largest threat comes from social media. This is primarily because the center of business for media companies is online platforms. Tracking the fandom is important for the business and essential to sense the pulse of public feedback about their brand on digital and social platforms.

On July 15, 2020, a 17-year-old hacker and his accomplices breached Twitter's network and seized control of dozens of Twitter accounts assigned to high-profile users2. Twitter employees were targeted through a spear-phishing attack, and compromised accounts of influential people, such as Barack Obama, Bill Gates and Elon Musk, were used as a platform for a bitcoin scam.

Threat actors were able to phish employee credentials by calling them and instructing them on how to reset their passwords. A few employees fell prey and went to a dummy site controlled by the hackers where they entered their credentials in a way that served up their usernames and passwords as well as multifactor authentication codes. Threat actors were able to steal over $118,000 worth of bitcoin.

Formal workforce cybersecurity education about information security threats and the company's policies for addressing them should be an ongoing practice in the context of a bigger security awareness program. This training can help reduce incidents and protect the company's brand and assets.

Protecting consumers' private identity information

Between April 25 and August 5, 2020, Warner Music Group discovered that several of its e-commerce websites had fallen victim to a three-month Magecart skimming attack3 (skimming attacks intend to illegally capture payment data and transfer it to another source). The data breach compromised customers' sensitive personal information and fetched the company a lawsuit from two plaintiffs who alleged that Warner failed to "properly secure and safeguard personally identifiable information."

Stolen data included customers' names, email addresses, telephone numbers, billing addresses, shipping addresses, and payment card details (card numbers, CVCs/CVVs, expiration dates), potentially enabling hackers to process fraudulent payments.

In these situations, it is critical for companies to monitor scripts trying to access sensitive data such as customer personal information.

Identifying abnormal behaviors to protect employee data

Canon also publicly confirmed in August 2020 that the company had been attacked by Maze ransomware and threat actors stole data from its company servers4. Total stolen data was around 10TB. Canon confirmed that data included the names, Social Security numbers, dates of birth, driver's license numbers, bank account numbers and electronic signatures of its current and former employees.

Protection cannot be served against exfiltration using data loss prevention (DLP) technologies alone. Organizations need to look at advanced detection measures that can build the profile of each user/entity based on their past behavior. This way, abnormal behaviors, such as an employee accessing sensitive data not linked to their job role, could be detected and stopped.

Make it absolutely easy

Technologies such as data-based machine learning algorithms are paving the way to building strong user entity behavior profiles. But also, above all, they support security capabilities. The right intelligence at the right place makes it absolutely easy to enhance managed detection and response capabilities and help security operations teams better investigate anomalies for quick remediation.


Share this blog article

About Harmanjit Bhogal
CFE, CEH, ACI and Delivery Head, Managed Detection and Response (MDR) SOC Operations
Harman is a digital security professional with more than 15 years of experience in cybersecurity and fraud risk management. His specialties include managed detection and response, solution architecting, banking fraud, risk management, security compliance and audits. He is co-author of Cyber Security in a Cashless Economy and is a regular speaker on the Cyber Tales podcast discussing cyber-risks and exchange of ideas on risk mitigation.

Follow or contact Harmanjit