Macron Hackers Linked To Russian Intelligence

The hackers behind a “massive and coordinated” attack on the campaign of France’s president-elect, Emmanuel Macron, have been linked by a number of cyber-security research firms to the Russian-affiliated group blamed for attacking the Democratic party shortly before the US election.

Tens of thousands of internal emails and other documents were released online as the midnight deadline to halt campaigning in the French election passed. According to the head of Macron’s digital team, Mounir Mahjoubi, “five entire mailboxes” were “stolen”, with many of the accounts being personal Gmail mailboxes.

US security firm Flashpoint and Tokyo-based Trend Micro have shared intelligence that suggests that the hacking group known variously as Advanced Persistent Threat 28, Fancy Bear and Pawn Storm was responsible. The group has been linked with the GRU, the Russian military intelligence directorate.

Macron, an independent centrist, won the run-off election against the far-right Marine Le Pen by a 66% to 34% margin. A congratulatory statement from the Kremlin, which had been widely seen as backing Le Pen, urged Macron to work with Russia to “overcome mutual mistrust and unite to ensure international stability and security”.

In an interview with Radio France, Mahjoubi sought to play down the impact of the data release, saying there were “no secrets” in the emails. “You will find jokes, you will find tens of thousands of invoices from suppliers … And you will find hundreds of exchanges on the manifesto, on organising events. In fact, all that makes a campaign.”

He said, however, that some among the thousands of published documents were fake. “There are files that have been added to these archives … fake emails that have been added.”

Despite the strong technical abilities believed to be possessed by APT 28, its primary route of attack is a simple yet effective method known as spear phishing: creating fake login pages targeted at individuals in an attempt to encourage them to enter their usernames and passwords, giving the hackers access to confidential information. They can then repeat the process, using the confidential information to craft even more convincing phishing pages, until they have stolen significant amounts of data.

Vitali Kremez of Flashpoint said his review indicated APT 28 was behind the leak. As part of the group’s spear phishing technique, it needs to register and control web addresses which could plausibly fool a target into thinking they were logging into a legitimate website. In the US elections, one such address (“myaccount.google.com-changepasswordmyaccount-idx8jxcn4ufdmncudd.gq”) was designed to look like an official Google page.

Recently, APT 28 registered decoy Internet addresses to mimic the name of Macron’s movement, En Marche! This was probably used to send emails to hack into the campaign’s computers, Kremez said. Those domains include onedrive-en-marche.fr, designed to appear like an official Microsoft address, and mail-en-marche.fr, which pretended to be a webmail site.
“If indeed driven by Moscow, this leak appears to be a significant escalation over the previous Russian operations aimed at the US presidential election, expanding the approach and scope of effort from simple espionage efforts towards more direct attempts to sway the outcome,” Kremez said. 

Trend Micro also identified links between the hacks, noting that the same organisation registered the fake Google address used in the hacks of the Democratic party’s national committee in April 2016 and the Macron address in March this year. That organisation had also registered domain names with the apparent purpose of stealing details from Germany’s Christian Democratic Union, through the party’s foundation arm Kas, and from MPs in Montenegro, where the government said last year said a coup plot had aimed at derailing the country’s elections.

Ryan Kalember of information security firm Proofpoint said there was evidence that En Marche!’s attacker had Russian connections. “Some of the metadata from this breach clearly indicates that certain documents, such as those with Macron’s ‘Bahamian bank accounts’, were edited on computers with Russian language operating systems,” he said.
Kalember said that was also a warning that some of the claimed leaked documents may be fake. “It’s absolutely critical that French citizens confirm the legitimacy of the news they are reading as this story develops. Make sure it is a reputable outlet and check multiple sources to confirm accuracy.” 

A number of factors appear to have lessened the impact of the hacks, from the late date when the stolen data was released, two days before the runoff vote, to the rapid response of the French electoral authorities.

The presidential electoral authority, the CNCCEP, warned broadcasters and the public to avoid sharing details gleaned from the documents, 9GB of which were posted by a user calling themselves Emleaks to the anonymous data-sharing site Pastebin.

The Daily Beast claimed that rather than being faked by the hackers or those reposting the data, the bogus information had been planted by the Macron campaign, which had become aware it was the target of a phishing campaign and flooded the hackers with false information.

The Macron campaign reportedly turned the spear phishing strategy against the attackers, by flooding “these addresses with multiple passwords and logins, true ones, false ones, so the people behind them use up a lot of time trying to figure them out”, according to Mahjoubi. As well as the fake documents that he alleged had been added by the hackers, “there is also information that we had sent in counter-retaliation for phishing attempts”, he told Radio France.

Guardian

You Might Also Read: 

Macron condemns 'massive' Hacking Attack:

Geolocation, Russian Hackers & False Flag Operations:

Does Russia’s Election Meddling Break International Law?:

Electoral Influence: 40yrs Of Kremlin Interference:

State Sponsored Hackers: Finding The Country Behind The Attack:

 

« Cybersecurity Has A Metrics Problem
Cyber Spies Go Mainstream »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

LRQA

LRQA

LRQA are a leading global assurance provider, bringing together unrivalled expertise in certification, brand assurance, cybersecurity, inspection and training.

MBL Technologies

MBL Technologies

MBL Technologies specializes in information assurance, enterprise security, privacy, and program/project management.

Inky Technology Corp

Inky Technology Corp

Inky® Phish Fence is an email protection gateway that uses sophisticated AI, machine learning and computer vision algorithms to block deep sea phishing attacks that get through every other system.

Ioetec

Ioetec

Ioetec's mission is to connect users to their IoT devices securely, ensuring these devices remain safe to use in our increasingly connected world.

Evanston Technology Partners (ETP)

Evanston Technology Partners (ETP)

ETP provides services and solutions to enable and transform businesses in the areas of cybersecurity, data protection, and efficient operations practices.

Titans24

Titans24

Titans24 is a Software-as-a-Service security platform for web applications. It prevents attacks on business websites that are protected under 11 cyber-security layers.

Dcode

Dcode

Dcode connects the tech industry and government to drive commercial innovation in the federal market.

Authomize

Authomize

Authomize aggregates identities and authorization mechanisms from any applications around your hybrid environment into one unified platform so you can easily and rapidly manage and secure all users.

Gray Analytics

Gray Analytics

Gray Analytics is a Cybersecurity Risk Management company providing best-practice services across a broad spectrum of cyber scenarios for both government and commercial customers.

QuantiCor Security

QuantiCor Security

QuantiCor Security is one of the world’s leading developers and manufacturers of quantum computer resistant security solutions for IT infrastructures and the Internet of Things (IoT).

Inflection Point Ventures (IPV)

Inflection Point Ventures (IPV)

Inflection Point Ventures (IPV) is a 6000+ members angel investing firm which supports new-age entrepreneurs by connecting them with a diverse group of investors.

DuckDuckGoose

DuckDuckGoose

DuckDuckGoose offer advanced solutions to protect against manipulated videos, images, voices and texts.

DACTA Global

DACTA Global

DACTA was established with the aim of simplifying the perception of complexity surrounding digital security challenges and solutions.

Cloudaeris

Cloudaeris

Cloudaeris is a trusted Microsoft Partner, and we've got what it takes to make your business more efficient and agile.

Vana Solutions

Vana Solutions

Vana Solutions is an Information Technology Services company. We help commercial & federal organizations select, adapt, and integrate the right technology solution so you can move faster.

ViroSafe

ViroSafe

ViroSafe is a leading value-added distributor of IT security solutions in Norway.