Hackers Came, But the French Were Prepared

The US watched as Russia “penetrated” French systems during the election run-up and gave French officials “a heads up,” Adm. Mike Rogers said recently. Rogers, who also serves as the director of the National Security Agency, said the US is also co-operating with Britain and Germany amid fears that Russia will attempt to sway the outcome of their elections.

The National Security Agency in Washington picked up the signs. So did Emmanuel Macron’s bare-bones technology team. And mindful of what happened in the American presidential campaign, the team created dozens of false email accounts, complete with phony documents, to confuse the attackers.

The Russians, for their part, were rushed and a bit sloppy, leaving a trail of evidence that was not enough to prove for certain they were working for the government of President Putin but which strongly suggested they were part of his broader “information warfare” campaign.

The story told by American officials, cyberexperts and Mr. Macron’s own campaign aides of how a hacking attack intended to disrupt the most consequential election in France in decades ended up a dud was a useful reminder that as effective as cyber-attacks can be in disabling Iranian nuclear plants, or Ukrainian power grids, they are no silver bullet. The kind of information warfare favored by Russia can be defeated by early warning and rapid exposure.

But that outcome was hardly assured, when what was described as a “massive” hacking attack suddenly put Mr. Macron’s electoral chances in jeopardy. To French and American officials, however, it was hardly a surprise.

Admiral Rogers said American intelligence agencies had seen the attack unfolding, telling their French counterparts, “Look, we’re watching the Russians. We’re seeing them penetrate some of your infrastructure. Here’s what we’ve seen. What can we do to try to assist?”

But the staff at Mr. Macron’s makeshift headquarters in Paris didn’t need the NSA to tell them they were being targeted: In December, after the former investment banker and finance minister had emerged as easily the most anti-Russian, pro-NATO and pro-European Union candidate in the presidential race, they began receiving phishing emails.

The phishing mails were “high quality,” said Mr. Macron’s digital director, Mounir Mahjoubi (pictured): They included the actual names of members of the campaign staff, and at first glance appeared to come from them. Typical was the very last one the campaign received, several days before the election, which purported to have come from Mr. Mahjoubi himself.

“It was almost like a joke, like giving us all the finger,” Mr. Mahjoubi said in an interview. The final email enjoined recipients to download several files “to protect yourself.”

Even before then, the Macron campaign had begun looking for ways to make life a little harder for the Russians, showing a level of skill and ingenuity that was missing in Hillary Clinton’s presidential campaign and at the Democratic National Committee, which had minimal security protections and for months ignored FBI warnings that its computer system had been penetrated.

“We went on a counter-offensive,” Mr. Mahjoubi said. “We couldn’t guarantee 100 percent protection” from the attacks, “so we asked: what can we do?” Mr. Mahjoubi opted for a classic “cyber-blurring” strategy, well known to banks and corporations, creating false email accounts and filled them with phony documents the way a bank teller keeps fake bills in the cash drawer in case of a robbery.

“We created false accounts, with false content, as traps. We did this massively, to create the obligation for them to verify, to determine whether it was a real account,” Mr. Mahjoubi said. “I don’t think we prevented them. We just slowed them down,” he said. “Even if it made them lose one minute, we’re happy,” he said.

Mr. Mahjoubi refused to reveal the nature of the false documents that were created, or to say whether, in the Friday document dump that was the result of the hacking campaign, there were false documents created by the Macron campaign.

But he did note that in the mishmash that constituted the Friday dump, there were some authentic documents, some phony documents of the hackers’ own manufacture, some stolen documents from various companies, and some false emails created by the campaign.
“During all their attacks we put in phony documents. And that forced them to waste time,” he said. “By the quantity of the documents we put in,” he added, “and documents that might interest them.”
With only 18 people in the digital team, many of them occupied in producing campaign materials like videos, Mr. Mahjoubi hardly had the resources to track down the hackers. “We didn’t have time to try to catch them,” he said. But he has his suspicions about their identity. Simultaneously with the phishing attacks, the Macron campaign was being attacked by the Russian media with a profusion of fake news.

Oddly, the Russians did a poor job of covering their tracks. That made it easier for private security firms, on alert after the efforts to manipulate the American election, to search for evidence. In mid-March, researchers with Trend Micro, the cybersecurity giant based in Tokyo, watched the same Russian intelligence unit behind some of the Democratic National Committee hacks start building the tools to hack Mr. Macron’s campaign. They set up web domains mimicking those of Mr. Macron’s En Marche! Party, and began dispatching emails with malicious links and fake login pages designed to bait campaign staffers into divulging their usernames and passwords, or to click on a link that would give the Russians a toehold onto the campaign’s network.

It was the classic Russian playbook, security researchers say, but this time the world was prepared. “The only good news is that this activity is now commonplace, and the general population is so used to the idea of a Russian hand behind this, that it backfired on them,” said John Hultquist, the director of cyberespionage analysis at FireEye. Mr. Hultquist noted that the attack was characterized by haste, and a trail of digital mistakes. “There was a time when Russian hackers were characterized by their lack of sloppiness,” Mr. Hultquist said. “When they made mistakes, they burned their entire operation and started anew. But since the invasion of Ukraine and Crimea,” he said, “we’ve seen them carry out brazen, large scale attacks,” perhaps because “there have been few consequences for their actions.”

The hackers also made the mistake of releasing information that was, by any campaign standard, pretty boring. The nine gigabytes worth of purportedly stolen emails and files from the Macron campaign was spun as scandalous material, but turned out to be almost entirely the humdrum of campaign workers trying to conduct ordinary life in the midst of the election maelstrom.

One of the leaked emails details a campaign staffer’s struggle with a broken down car. Another documents how a campaign worker was reprimanded for failure to invoice a cup of coffee.

That is when the hackers got sloppy. The metadata tied to a handful of documents, code that shows the origins of a document, show some passed through Russian computers and were edited by Russian users. Some Excel documents were modified using software unique to Russian versions of Microsoft Windows.

Other documents had last been modified by Russian usernames, including one person that researchers identified as a 32-year-old employee of Eureka CJSC, based in Moscow, a Russian technology company that works closely with the Russian Ministry of Defense and intelligence agencies. The company has received licenses from Russia’s Federal Security Service, or FSB, to help protect state secrets. The company did not return emails requesting comment.

Other leaked documents appear to have been forged, or faked. One purported to detail the purchase of the stimulant mephedrone, sometimes sold as “bath salts,” by a Macron campaign staffer who allegedly had the drugs shipped to the address of France’s National Assembly.

But Henk Van Ess, a member of the investigations team at Bellingcat, a British investigations organisation and others discovered that the transaction numbers in the receipt were not in the public ledger of all Bitcoin transactions.
“It’s clear they were rushed,” Mr. Hultquist said. “If this was APT28,” he said, using the name for a Russian group believed to be linked to the GRU, a military intelligence agency, “they have been caught in the act, and it has backfired for them.”

Now, he said, the failure of the Macron hacks could just push Russian hackers to improve their methods.
“They may have to change their playbook entirely,” Mr. Hultquist said.

New York Times:      DefenseOne:

Image: By liftconferencephotos

You Might Also Read:

French State Hackers Get Ready For Cyber Warfare:

Germany May Go Offensive After Russian Cyber Attacks:

Macron Hackers Linked To Russian Intelligence:

EU Nations Expand Their Cyber Defences:

 

« What Every CISO Needs To Know
WannaCry Attack Is A Big Wake-Up Call »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

National Defence Radio Establishment (FRA) - Sweden

National Defence Radio Establishment (FRA) - Sweden

The National Defence Radio Establishment (Försvarets Radioanstalt), is the Swedish national authority for Signals Intelligence, also providing Information assurance services to government authorities.

CERT-PA

CERT-PA

CERT-PA is the national Computer Emergency Response Team for Italian government institutions.

Airbus Cybersecurity

Airbus Cybersecurity

Airbus CyberSecurity is a European specialist in cyber security. Our mission is to protect governments, military and critical national infrastructure enterprises from cyber threats.

Advantech

Advantech

Advantech is a leader in providing trusted innovative embedded and automation products and solutions. Activities include IoT security.

Ikarus Security Software

Ikarus Security Software

Ikarus focuses on antivirus and content-security solutions.

National Digital Exploitation Centre (NDEC) - United Kingdom

National Digital Exploitation Centre (NDEC) - United Kingdom

NDEC is a project to create a centre of cyber and digital development and education for the UK. It will offer training in digital practices, cyber security and research.

Mvine

Mvine

Mvine's primary business is authoring and selling Cyber-Secure Platforms for Collaboration Portals and for Identity Management as well as delivering cloud support services.

Department of Justice - Computer Crime and Intellectual Property Section (CCIPS)

Department of Justice - Computer Crime and Intellectual Property Section (CCIPS)

The Computer Crime and Intellectual Property Section (CCIPS) is responsible for implementing the Department's national strategies in combating computer and intellectual property crimes worldwide.

SIS Certifications (SIS CERT)

SIS Certifications (SIS CERT)

SIS Certifications is an ISO certification body serving more than 10,000 clients in over 15 countries worldwide.

Global Health Care Anti-Fraud Network (GHCAN)

Global Health Care Anti-Fraud Network (GHCAN)

The mission of GHCAN is to promote partnerships and communications between international organizations in order to reduce and eliminate health care fraud around the world.

BlueRiSC

BlueRiSC

BlueRiSC invent cutting-edge system assurance solutions for the 21st century with novel software and hardware designs focusing on security technologies that can be game changing.

Conatix

Conatix

Conatix was formed to apply recent advances in AI and other fields of technology to insider fraud, one of the most intractable problems in cybersecurity.

Newtec Services

Newtec Services

IT should be responsive, adaptive, and smart. Now more than ever, you need a business that runs efficiently and can adapt to today's challenges. We can help with custom IT solutions.

Riskaware

Riskaware

CyberAware, by Riskaware, provides business-critical cyber attack analysis and impact assessments using NIST standards aligned with NCSC guidance.

Digitale Gründerinitiative Oberpfalz (DGO)

Digitale Gründerinitiative Oberpfalz (DGO)

Digital Founder Initiative Oberpfalz's goal is to build a sustainable start-up culture in the field of digitization throughout the Upper Palatinate district of Bavaria.

Condition Zebra

Condition Zebra

Condition Zebra has wide experience in providing IT Security Services, Training, and Certification in the field of cybersecurity.