By Joseph Menn and Leigh Thomas
SAN FRANCISCO/PARIS (Reuters) - Russian hackers linked to the Kremlin could be behind one of the biggest attacks to date on televised communications, which knocked French station TV5Monde off air in April, sources familiar with France's inquiry said.
A French judicial source told Reuters that the investigators are "leaning towards the lead of Russian hackers," confirming a report in French magazine L'Express.
Hackers claiming to be supporters of Islamic State caused the public station's 11 channels to temporarily go off air and posted material on its social media feeds to protest against French military action in Iraq.
But the judicial source said the theory that Islamist militants were behind the cyber attack was no longer the main lead in the investigation.
U.S. cybersecurity company FireEye, which has been assisting French authorities in some cases, said on Wednesday that it believed the attack came from a Russian group it suspects works with the Russian executive branch. Relations between Paris and Moscow have suffered over the crisis in Ukraine, leading France to halt delivery of two helicopter carriers built for Russia.
Information about the TV5 attack was published on a website branded as part of the "Cyber Caliphate," a reference to the Islamic State.
But the site was hosted on the same block of Internet Protocol addresses and used the same domain name server as the group called APT28 by FireEye and Pawn Storm by Trend Micro, another large security company.
"We suspect that this activity aligns with Russia's institutionalized systematic `trolling' -devoting substantive resources to fulltime staff who plant comments and content online that is often disruptive, and always favorable to President Putin" of Russia, FireEye said via email.
French authorities distributed a sample of malicious software from machines at the TV network that both FireEye and Trend Micro said originated with the Russian hacking group.
Trend Micro Vice President Rik Ferguson said it was possible that both the Russians and true Islamic State sympathizers had hacked the network, but the judicial source and FireEye discounted the possibility, citing other evidence.
Code used in the attack had been typed on a Cyrillic keyboard at times of day corresponding to working hours in St Petersburg or Moscow, FireEye said.
Researchers have tied the Russian group to attacks on NATO countries and on email of the White House and U.S. State Department.
Though paid Russian Internet commenting operations have been described in media reports for months, a story last week by the New York Times associated one of the main operations, in St. Petersburg, with disruptive fake news reports in the United States. The story connected the group with dozens of interconnecting hoax web pages, tweets and other false accounts of a chemical plant explosion in Louisiana, among other misinformation campaigns.