The website of the CERC, a government agency, was hacked by an ultranationalist and neo-fascist Turkish hacker group. The hack targets a site archived since 2013, but it is still a .gouv address.
“ Hacked By Turkic Hackers Rulez (OPJ & M3T4L) “. Since the beginning of April, this is the message that greets Internet users visiting the site of the CERC (Council for Employment, Income and Social Cohesion), a former government entity, discovered France Info on April 7. The site has been the victim of hacking for several days claimed by the Turkic Hackers Rulez, and by a Turkish ultra-nationalist group, the Gray Wolves.
“ It is regrettable that the government sees us as terrorists in France. Please know that we are not engaged in terrorist activities. However, if you want to campaign against the Gray Wolves, we will not stop our attacks on your government sites », Warns the message. The text is accompanied by a red flag, inspired by true Turkish standardrepresenting two crescent moons facing each other and a swastika, but also by the symbol of the Gray Wolves.
The name of the Gray Wolves is not unknown to the French government: it is a Turkish ultranationalist organization, described as a terrorist group and banned in 2020 by the Ministry of the Interior. This is the first time that this group has openly claimed responsibility for a cyberattack in France — and the fact that it has lasted for days raises several questions.
Who are the Turkic Hackers Rulez and the Gray Wolves?
The hack is claimed by several actors. First up, M3T4L and OPJ, who appear to be hackers from the Turkic Hackers Rulez group. The latter claimed responsibility for the attack on their Instagram account, in particular by sharing press articles mentioning the hack. However, this would not be a very well defined group: according to cybersecurity expert SaxXthe name of the group “ could suggest several “young people” isolated or in groups, appropriating this “banner” a bit like with Anonymous », he explains on X (ex-Twitter).
Little information is available about them: they would have been formed in 2020, and would count to their credit the hacking of the site of the English newspaper Time, and that of the company specializing in cybersecurity Cisco. In February 2024, a group with a very similar name, the Turk Hack Team, had also claimed responsibility for the hack of La Poste and Crédit Agricole. It is, however, unclear whether these are the same two actors, as the Turk Hack Team did not claim responsibility for the attack on its Telegram account.
The other group responsible for defacing the CERC site is the Gray Wolves — and they are a well-known intelligence entity. The Gray Wolves are described as a Turkish neofascist and ultranationalist paramilitary organization, and they have previously carried out physical attacks in France. The government had thus pronounced their dissolution in November 2020, after a series of attacks against the Armenian community in Lyon and Dijon. They had not previously claimed responsibility for cyberattacks.
An old government site affected
The CERC site has been inactive since April 3, 2024, according to ethical hacker Baptiste Robert — this means that 4 days passed between the hack and the moment it was noticed. At the time of publication of this article, the site had been defaced for 5 days, without the government having regained control.
Defacement or disfigurement attacks generally target small or medium-sized sites, which are generally less well protected. The practice consists of altering the appearance of the site's home page, in order to send a message, and rendering the site unusable. During the attack, hackers can also “ take control of the server, and therefore potentially access sensitive data (personal, banking, commercial, etc.) “, also recalls the government’s Cybermailveillance site.
Although the CERC does benefit from an official government address, using the .gouv extension, it was no longer an active site. The CERC was in fact replaced in 2013 by France Stratégie, and its site had been archived. The home page, before April 3, 2024, clearly displayed this notice, as SaxX noticed.
A site archived since 2013 is necessarily easier to hack than a maintained site, the importance of the attack by Turkish hackers should therefore be minimized. Additionally, defacement generally does not expose sites to much danger, like DDOS, which are impressive but rarely damaging. However, it remains surprising that the state has not regained control of the site, five days after the hack.
France has been the target of numerous cyberattacks in recent months. In March alone, France Travail was the victim of data theft concerning 43 million people, and the interministerial network of ministries was seriously disrupted by a DDOS attack carried out by Anonymous Sudan. Attacks much more impressive than the hack of the CERC site. The latter, however, shows that, a few months before the Olympics, France is more than ever the target of hackers – and it is a safe bet that they are not going to stop.