Macron Hackers Linked To Russian Intelligence

The hackers behind a “massive and coordinated” attack on the campaign of France’s president-elect, Emmanuel Macron, have been linked by a number of cyber-security research firms to the Russian-affiliated group blamed for attacking the Democratic party shortly before the US election.

Tens of thousands of internal emails and other documents were released online as the midnight deadline to halt campaigning in the French election passed. According to the head of Macron’s digital team, Mounir Mahjoubi, “five entire mailboxes” were “stolen”, with many of the accounts being personal Gmail mailboxes.

US security firm Flashpoint and Tokyo-based Trend Micro have shared intelligence that suggests that the hacking group known variously as Advanced Persistent Threat 28, Fancy Bear and Pawn Storm was responsible. The group has been linked with the GRU, the Russian military intelligence directorate.

Macron, an independent centrist, won the run-off election against the far-right Marine Le Pen by a 66% to 34% margin. A congratulatory statement from the Kremlin, which had been widely seen as backing Le Pen, urged Macron to work with Russia to “overcome mutual mistrust and unite to ensure international stability and security”.

In an interview with Radio France, Mahjoubi sought to play down the impact of the data release, saying there were “no secrets” in the emails. “You will find jokes, you will find tens of thousands of invoices from suppliers … And you will find hundreds of exchanges on the manifesto, on organising events. In fact, all that makes a campaign.”

He said, however, that some among the thousands of published documents were fake. “There are files that have been added to these archives … fake emails that have been added.”

Despite the strong technical abilities believed to be possessed by APT 28, its primary route of attack is a simple yet effective method known as spear phishing: creating fake login pages targeted at individuals in an attempt to encourage them to enter their usernames and passwords, giving the hackers access to confidential information. They can then repeat the process, using the confidential information to craft even more convincing phishing pages, until they have stolen significant amounts of data.

Vitali Kremez of Flashpoint said his review indicated APT 28 was behind the leak. As part of the group’s spear phishing technique, it needs to register and control web addresses which could plausibly fool a target into thinking they were logging into a legitimate website. In the US elections, one such address (“myaccount.google.com-changepasswordmyaccount-idx8jxcn4ufdmncudd.gq”) was designed to look like an official Google page.

Recently, APT 28 registered decoy Internet addresses to mimic the name of Macron’s movement, En Marche! This was probably used to send emails to hack into the campaign’s computers, Kremez said. Those domains include onedrive-en-marche.fr, designed to appear like an official Microsoft address, and mail-en-marche.fr, which pretended to be a webmail site.
“If indeed driven by Moscow, this leak appears to be a significant escalation over the previous Russian operations aimed at the US presidential election, expanding the approach and scope of effort from simple espionage efforts towards more direct attempts to sway the outcome,” Kremez said. 

Trend Micro also identified links between the hacks, noting that the same organisation registered the fake Google address used in the hacks of the Democratic party’s national committee in April 2016 and the Macron address in March this year. That organisation had also registered domain names with the apparent purpose of stealing details from Germany’s Christian Democratic Union, through the party’s foundation arm Kas, and from MPs in Montenegro, where the government said last year said a coup plot had aimed at derailing the country’s elections.

Ryan Kalember of information security firm Proofpoint said there was evidence that En Marche!’s attacker had Russian connections. “Some of the metadata from this breach clearly indicates that certain documents, such as those with Macron’s ‘Bahamian bank accounts’, were edited on computers with Russian language operating systems,” he said.
Kalember said that was also a warning that some of the claimed leaked documents may be fake. “It’s absolutely critical that French citizens confirm the legitimacy of the news they are reading as this story develops. Make sure it is a reputable outlet and check multiple sources to confirm accuracy.” 

A number of factors appear to have lessened the impact of the hacks, from the late date when the stolen data was released, two days before the runoff vote, to the rapid response of the French electoral authorities.

The presidential electoral authority, the CNCCEP, warned broadcasters and the public to avoid sharing details gleaned from the documents, 9GB of which were posted by a user calling themselves Emleaks to the anonymous data-sharing site Pastebin.

The Daily Beast claimed that rather than being faked by the hackers or those reposting the data, the bogus information had been planted by the Macron campaign, which had become aware it was the target of a phishing campaign and flooded the hackers with false information.

The Macron campaign reportedly turned the spear phishing strategy against the attackers, by flooding “these addresses with multiple passwords and logins, true ones, false ones, so the people behind them use up a lot of time trying to figure them out”, according to Mahjoubi. As well as the fake documents that he alleged had been added by the hackers, “there is also information that we had sent in counter-retaliation for phishing attempts”, he told Radio France.

Guardian

You Might Also Read: 

Macron condemns 'massive' Hacking Attack:

Geolocation, Russian Hackers & False Flag Operations:

Does Russia’s Election Meddling Break International Law?:

Electoral Influence: 40yrs Of Kremlin Interference:

State Sponsored Hackers: Finding The Country Behind The Attack:

 

« Cybersecurity Has A Metrics Problem
Cyber Spies Go Mainstream »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

softScheck

softScheck

softScheck is an IT security consultancy. Services range from pentesting and compliance testing to security auditing of software and IT infrastructure.

Visa

Visa

Visa is a global payments technology company that connects consumers, businesses and banks in more than 200 countries and territories worldwide.

ZyberSafe

ZyberSafe

ZyberSafe is an innovative Danish company specialized within building hardware encryption solutions.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

NovaTech Automation

NovaTech Automation

NovaTech products and services make the world’s power grids and essential process industries more reliable, efficient, sustainable and secure.

Templar Executives

Templar Executives

Templar Executives is a leading, expert and dynamic Cyber Security company trusted by Governments and multi-national organisations to deliver business transformation.

Data Destruction London

Data Destruction London

Data Destruction London offers fast, confidential and compliant expert data destruction services to businesses and organisations in London.

CyberSat Summit

CyberSat Summit

CyberSat is dedicated to fostering the necessary discussions to flesh out and develop solutions to cyber threats in the satellite industry.

Nexum

Nexum

Nexum takes a comprehensive approach to security, from detecting and preventing network threats, to equipping you with the information, tools and training you need to effectively manage IT risk.

HacWare

HacWare

HacWare is a data driven cybersecurity awareness product that leverages machine learning and behavior analytics help IT professionals combat phishing.

BlueHalo

BlueHalo

BlueHalo is purpose-built to provide industry capabilities in the domains of Space Superiority and Directed Energy, Missile Defense and C4ISR, and Cyber and Intelligence.

TXOne Networks

TXOne Networks

TXOne Networks offer cybersecurity solutions to protect your industrial control systems to ensure their reliability and safety from cyberattacks.

AMSYS Innovative Solutions

AMSYS Innovative Solutions

AMSYS is a full-service, 24/7/365 IT solutions, Cybersecurity & Managed Service Provider.

Trace3

Trace3

Trace3 is a pioneer in business transformation solutions, empowering organizations to keep pace with the rapid changes in IT innovations and maximize organizational health.

FPG Technologies & Solutions

FPG Technologies & Solutions

FPG Technology is a technology solutions provider and systems integrator, specializing in delivering IT Consulting, IT Security, Cloud, Mobility, Infrastructure solutions and services.

Defendis

Defendis

Defendis develops AI-powered cybersecurity solutions for Government Agencies, Banks, and Businesses, designed to helps them contain data leaks, minimise damage, and proactively hunt for new threats.