Macron Hackers Linked To Russian Intelligence

The hackers behind a “massive and coordinated” attack on the campaign of France’s president-elect, Emmanuel Macron, have been linked by a number of cyber-security research firms to the Russian-affiliated group blamed for attacking the Democratic party shortly before the US election.

Tens of thousands of internal emails and other documents were released online as the midnight deadline to halt campaigning in the French election passed. According to the head of Macron’s digital team, Mounir Mahjoubi, “five entire mailboxes” were “stolen”, with many of the accounts being personal Gmail mailboxes.

US security firm Flashpoint and Tokyo-based Trend Micro have shared intelligence that suggests that the hacking group known variously as Advanced Persistent Threat 28, Fancy Bear and Pawn Storm was responsible. The group has been linked with the GRU, the Russian military intelligence directorate.

Macron, an independent centrist, won the run-off election against the far-right Marine Le Pen by a 66% to 34% margin. A congratulatory statement from the Kremlin, which had been widely seen as backing Le Pen, urged Macron to work with Russia to “overcome mutual mistrust and unite to ensure international stability and security”.

In an interview with Radio France, Mahjoubi sought to play down the impact of the data release, saying there were “no secrets” in the emails. “You will find jokes, you will find tens of thousands of invoices from suppliers … And you will find hundreds of exchanges on the manifesto, on organising events. In fact, all that makes a campaign.”

He said, however, that some among the thousands of published documents were fake. “There are files that have been added to these archives … fake emails that have been added.”

Despite the strong technical abilities believed to be possessed by APT 28, its primary route of attack is a simple yet effective method known as spear phishing: creating fake login pages targeted at individuals in an attempt to encourage them to enter their usernames and passwords, giving the hackers access to confidential information. They can then repeat the process, using the confidential information to craft even more convincing phishing pages, until they have stolen significant amounts of data.

Vitali Kremez of Flashpoint said his review indicated APT 28 was behind the leak. As part of the group’s spear phishing technique, it needs to register and control web addresses which could plausibly fool a target into thinking they were logging into a legitimate website. In the US elections, one such address (“myaccount.google.com-changepasswordmyaccount-idx8jxcn4ufdmncudd.gq”) was designed to look like an official Google page.

Recently, APT 28 registered decoy Internet addresses to mimic the name of Macron’s movement, En Marche! This was probably used to send emails to hack into the campaign’s computers, Kremez said. Those domains include onedrive-en-marche.fr, designed to appear like an official Microsoft address, and mail-en-marche.fr, which pretended to be a webmail site.
“If indeed driven by Moscow, this leak appears to be a significant escalation over the previous Russian operations aimed at the US presidential election, expanding the approach and scope of effort from simple espionage efforts towards more direct attempts to sway the outcome,” Kremez said. 

Trend Micro also identified links between the hacks, noting that the same organisation registered the fake Google address used in the hacks of the Democratic party’s national committee in April 2016 and the Macron address in March this year. That organisation had also registered domain names with the apparent purpose of stealing details from Germany’s Christian Democratic Union, through the party’s foundation arm Kas, and from MPs in Montenegro, where the government said last year said a coup plot had aimed at derailing the country’s elections.

Ryan Kalember of information security firm Proofpoint said there was evidence that En Marche!’s attacker had Russian connections. “Some of the metadata from this breach clearly indicates that certain documents, such as those with Macron’s ‘Bahamian bank accounts’, were edited on computers with Russian language operating systems,” he said.
Kalember said that was also a warning that some of the claimed leaked documents may be fake. “It’s absolutely critical that French citizens confirm the legitimacy of the news they are reading as this story develops. Make sure it is a reputable outlet and check multiple sources to confirm accuracy.” 

A number of factors appear to have lessened the impact of the hacks, from the late date when the stolen data was released, two days before the runoff vote, to the rapid response of the French electoral authorities.

The presidential electoral authority, the CNCCEP, warned broadcasters and the public to avoid sharing details gleaned from the documents, 9GB of which were posted by a user calling themselves Emleaks to the anonymous data-sharing site Pastebin.

The Daily Beast claimed that rather than being faked by the hackers or those reposting the data, the bogus information had been planted by the Macron campaign, which had become aware it was the target of a phishing campaign and flooded the hackers with false information.

The Macron campaign reportedly turned the spear phishing strategy against the attackers, by flooding “these addresses with multiple passwords and logins, true ones, false ones, so the people behind them use up a lot of time trying to figure them out”, according to Mahjoubi. As well as the fake documents that he alleged had been added by the hackers, “there is also information that we had sent in counter-retaliation for phishing attempts”, he told Radio France.

Guardian

You Might Also Read: 

Macron condemns 'massive' Hacking Attack:

Geolocation, Russian Hackers & False Flag Operations:

Does Russia’s Election Meddling Break International Law?:

Electoral Influence: 40yrs Of Kremlin Interference:

State Sponsored Hackers: Finding The Country Behind The Attack:

 

« Cybersecurity Has A Metrics Problem
Cyber Spies Go Mainstream »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Quttera

Quttera

Quttera provides Website Security Solutions for Small & Medium Businesses, Enterprises and Organizations.

SSLGURU

SSLGURU

SSLGURU bring all of the major SSL certificate vendors to one market place in order to create the world's largest SSL store with the most competitive prices.

Qualys

Qualys

Qualys is a pioneer and leading provider of cloud security and compliance solutions.

Cyber, Space, & Intelligence Association (CSIA)

Cyber, Space, & Intelligence Association (CSIA)

CSIA focuses on issues critical to Cyber Security, Military Space and Intelligence.

Silverskin Information Security

Silverskin Information Security

Silverskin is a cyber attack company that specializes in having knowledge of the attacker's mindset to identify vulnerabilities and build effective and persistent defences.

LSEC

LSEC

LSEC is a global innovator and facilitator for the Cybersecurity industry. It is a non-profit membership organisation supporting further maturing the industry through its end users.

LMG Security

LMG Security

LMG Security is a cybersecurity consulting, research and training firm.

NITA Uganda (NITA-U)

NITA Uganda (NITA-U)

NITA-U has put in place the Information security framework to provide Uganda with the necessary process, policies, standards and guideline to help in Information Assurance.

CloudVector

CloudVector

CloudVector's API Detection & Response platform is the only API Threat Protection solution that goes beyond the gateway to provide Shadow API Prevention and Deep API Risk Monitoring and Remediation.

Smart Protection

Smart Protection

Smart Protection are experts in brand and trademark protection - we fight against counterfeits and unauthorized usages of brands with machine learning technology.

HacWare

HacWare

HacWare is a data driven cybersecurity awareness product that leverages machine learning and behavior analytics help IT professionals combat phishing.

Innovex Global

Innovex Global

Innovex is a full-service executive search and advisory business that engages with early-stage startups, scale-ups, and established businesses in the Fintech, Cybersecurity and Technology industries.

Concourse Labs

Concourse Labs

Concourse Labs Security Guardrails continuously verify cloud infrastructure and workloads. Continuously assess clouds for security, resiliency, and regulatory compliance.

SpireTec Solutions

SpireTec Solutions

SpireTec Solutions is an IT management training company offering 1500+ courses with state of art training facilities backed by a team of industry experts in various domains including cybersecurity.

CyberCure

CyberCure

CyberCure provide specialised roles and services to manage your organisations cybersecurity requirements and professional advisory services in governance, risk and compliance.

Academia the Technology Group

Academia the Technology Group

Academia specialise in the supply of software, IT hardware, training and service solutions to the public sectors, business and pro media markets.