The website of the National Assembly was the victim of a cyberattack on Monday, carried out by pro-Russian hackers. For Nicolas Arpagian, cybersecurity specialist, it is a “highly symbolic” target that has been targeted.
“It is above all a communication operation”, explained on Monday March 27 on franceinfo Nicolas Arpagian, cybersecurity specialist, teacher at Sciences Po Saint-Germain-en-Laye, after the cyber attack on the website of the National Assembly. The institution’s website was inaccessible, the victim of a “coordinated action that triggers an influx of requests whose origin is undetermined”. The attack was claimed on Telegram by a group of pro-Russian hackers, NoName057. For Nicolas Arpagian, “it’s a fairly low tech attack” which is limited to one “denied service”. This “unavailability” from the website of the National Assembly “is already a political message”.
franceinfo: Does the claim of the attack on the website of the National Assembly by a group of pro-Russian hackers, NoName057, seem credible to you?
Nicolas Arpagian: In the end, the claim does not matter so much. It’s a fairly low tech attack compared to what we can know in terms of intrusion. This is called denial of service. Denial of service is a bit like wanting to annoy a merchant. You organize a demonstration in front of his shop, you don’t break anything, you don’t attack the staff, but you stay in front. It means that there is no destruction. And that’s why the restoration, the reactivation of the site, is envisaged fairly quickly. It is above all a communication operation, because it is an attack that is very visible. Non-availability is already a political message. But on the other hand, it is something that is ultimately quite easy to implement and inexpensive. So there is no technical performance in this case.
>> The city of Lille victim of a cyberattack, four municipal agents received a ransom demand
Does this mean that there are no long-term consequences, risks of leakage of sensitive data for example?
We must guard against the risk of diversion. What we have seen sometimes is that hackers use this modus operandi which is very visible, but which has no impact beyond politics. The price per minute of non-availability of the National Assembly site has no financial impact. On the other hand – and that’s why it takes a bit of time before reactivating the systems – you have to make sure that it’s not a diversionary measure. Clearly, you organized a sort of very visible brawl outside while people entered the shop. It is therefore important to ensure the integrity of the systems. And this explains the hours spent ensuring this preservation of the digital assets of the National Assembly and the Senate.
“It is a target that is highly symbolic”
Nicolas Arpagian, cybersecurity specialistat franceinfo
Is this an unexpected target?
No, because it’s a highly symbolic target. Digital availability is the fact of being audible, of being present. We’re taking over your antenna. You encroach on the authority of the entity since you mute it, temporarily certainly, but you have the initiative. So it’s highly symbolic, not very technical, but it’s actually something that is not desirable over time.
600 investigations opened for cyberattacks last year against only 65 three years ago. It seems exponential. Does this mean that we do not sufficiently secure this type of site?
If we take the example of denial of service, the site of the National Assembly is calibrated to manage a certain volume of simultaneous connections. There are times of peaks in parliamentary news where many Internet users can connect. The site is configured to accept this increasing volume. It is obvious that if you triple, quadruple, quintuple this volume, it goes into safety, it saturates. It’s not a security flaw, it’s just that it’s usually adequate for normal flow. And there is this volumetry which is anticipated. As far as security is concerned, in the event of a breach of the integrity of the systems, the fact that we are going to break in to destroy data, modify data or exfiltrate data, this is a continuous development. The regulations set obligations for these operators, for these players who are qualified as essential services or of vital importance. And we ask them on the one hand, to deploy security policies, and on the other hand to train, to practice crisis management exercises.