Vladimir Putin speaks to French far-right presidential candidate Marine Le Pen, in the Kremlin in Moscow in March.

Vladimir Putin speaks to French far-right presidential candidate Marine Le Pen, in the Kremlin in Moscow in March. Mikhail Klimentyev/Sputnik via AP

France’s Macron Hack Likely By Same Russian Group That Hit DNC, Sources Say

A growing list of indicators point to a hack squad associated with the Russian GRU.

The same Putin-backed hacking group that targeted the Democratic National Committee last year has been targeting French presidential candidate Emmanuel Macron, according to multiple cybersecurity groups.

On Friday, Macron claimed that his campaign had suffered a “massive and coordinated” data theft and smear campaign, some 9 gigabytes of data stolen and published to an anonymous sharing site called Pastebin.

No hard evidence has yet emerged linking the targeting to the doc dump. But over several weeks leading to the attack on Macron’s campaign, several firms in the private security community issued warnings. On April 25, cybersecurity group Trend Micro claimed a group known as APT 28, or  Fancy Bear and Pawn Storm, was actively targeting the Macron campaign with bogus emails to convince campaign higher-ups to click on links.

The evidence: On March 15, operators working from IP addresses associated with APT 28 were registering domain names that were related to the Macron campaign, such as onedrive-en-marche.fr. Registering phony email domains would allow the operatives to send emails to targeted campaign workers that appear to be from the campaign. A cybersecurity professional with direct knowledge of the hack told Defense One that the same Putin-backed hacking group that targeted the DNC had also been targeting Macron. But they could not say with certainty that those actors were the same individuals who put the documents on the Pastebin site, (or if the documents on Pastebin were even authentic.)

Of particular interest in the Macron case is a new tactic: rather than luring the victim to a link and then trying to convince them to give up his or her password, APT 28 was targeting the Macron campaign with a lure to fake computer applications that looked like they actually came from Google.This time the victims weren’t prompted to give up their passwords. Instead they could simply authorize a program that looked like it came from a trusted provider to do what that program (looks like) it is supposed to do. The scam is called Open Authentication or an OAuth attack. “The big advantage is that users don’t have to reveal their password to the third party. Instead the third party applications get a token that can be used for authentication,” Trend Micro says in their report.

Greg Martin, CEO of the firm JASK, told Business Insider that this represented a clear escalation of tactics. "It's a new style of attack …  very deadly and unprecedented … It's the first time we have seen this in the wild."

Vitali Kremez, director of research at the cybersecurity firm Flashpoint, also offered cautious analysis to the New York Times on Friday. “The key goals and objectives of the campaign appear to be to undermine Macron’s presidential candidacy and cast doubt on the democratic electoral process in general.”

He later told Reuters that APT 28 was indeed behind the attack after determining that APT 28 related entities had “registered decoy internet addresses to mimic the name of En Marche …  including onedrive-en-marche.fr and mail-en-marche.fr.”

The event follows months of warnings about Kremlin influence and information operations allegedly targeting the French election for the benefit Marine Le Pen’s National Front Party. On January 8, France’s Minister of Defense Jean-Yves Le Drian told French newspapers that “one cannot be naive,” about the likelihood of Kremlin involvement to aid Le Pen, who has supported a closer relationship with Putin and a weakening of the EU.

Defense One first reported in January that the group sometimes known as Fancy Bear, APT 28, and by other names was actively targeting the French election with the same email tactics that they employed against previous targets, including, most famously the DNC.

It’s not the first time Kremlin-backed hackers have targeted France. In April of 2015, the same group, posing as ISIS-linked Islamic extremists and calling itself the Cyber Caliphate also attacked French television station TV5 Monde. The intent of that attack remains unclear.

Authorities and investigators have yet to make public hard forensic evidence linking the group to the hack on Macron’s campaign.

Today, in response to Macron’s claim, TrendMicro offered a clarifying statement. “Trend Micro does not have evidence that this is associated with the group known as Pawn Storm (also APT28 and other names). The techniques used in this case seem to be similar to previous attacks. Without further evidence, it is extremely difficult to attribute this hack to any particular person or group."

In the meantime, some analysis suggests that portions of the 9 gigabyte document dump, or at least portions of it that are spreading on social media, may be forged.

The mixing of fake documents with stolen real documents, and then dumping both on the public to achieve a better political or market effect, is something that members of the intelligence community have worried about publicly for years. Kremlin-backed actors have done it before, but not through Wikileaks. Last August, hackers dumped a series of documents on the sites CyberBerkut and DC Leaks, both of which the intelligence community has linked to Putin's government. It was an attempt to smear a Putin political opponent by connecting him to George Soros. Problem is, the docs didn't match, suggesting a forgery.  

"In our election, and because of the decentralization of our voting system, my gravest fear was not that the Russians would hack the actual voting machines. Most were not online and many have paper trails. Nonetheless, I continue to think that any voter registrar that doesn't maintain a paper trail is guilty of negligence," Rep Adam Schiff, D-Calif, the ranking member on the House Intelligence Committee, said in a statement. "Instead, I worried about the Russians dumping forged documents among the real, or worse still, adding fake paragraphs into real emails. Imagine the impact on an election if hackers inserted false information into a real email that suggested illegality by a candidate, and then published the document. If this was done close to an election, there would be no opportunity to disprove the forgery and who would believe the victim even if they could. In France with Macron's campaign, that nightmare scenario may be playing out, with hackers reportedly mixing fake documents in with the real and then dumping them. While we are still awaiting confirmation from French officials that there are indeed forgeries being dumped along with authentic stolen documents, this would represent yet another dangerous escalation of cyber interference in a Western nation's democracy."

Wikileaks was quick to publicize the Pastebin dump through its Twitter account. French authorities sought to limit the damage. “The dissemination of such data, which have been fraudulently obtained and in all likelihood may have been mingled with false information, is liable to be classified as a criminal offence,” France’s electoral commission said in a statement.

Defense One reached out to the Central Intelligence Agency. Mike Pompeo, the agency’s director, recently referred to Wikileaks as a “a non-state hostile intelligence service.” The agency had no comment.

As of Sunday evening, French election results suggest Macron triumphed easily. 

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.