Au Revoir, Alleged Russian 'Fancy Bear' Hackers

Macron's Campaign Claims to Fake Out APT28 Hackers' Phishing Attempts
Au Revoir, Alleged Russian 'Fancy Bear' Hackers
Despite the 11th hour document dump, Emmanuel Macron beat Marine Le Pen to become president of France. (Photo: Lorie Shaull, Flickr/CC)

Who in the world could have attempted to mess with this past weekend's presidential election in France via a well-timed dump of campaign documents and communications?

See Also: Suddenly, AI-Powered Threats Don’t Seem So Intelligent

No surprise: Security experts say all evidence points to the usual suspect - Russian intelligence - and in particular the group known as APT28, aka Fancy Bear, Pawn Storm, Sednit, Sofacy and Strontium.

The impetus for the dump appeared to be an attempt to bolster the chances of centrist Emmanuel Macron's opponent, far-right candidate Marine Le Pen. Regardless, in the May 7 second round of the national elections, Le Pen won only 33.9 percent to Macron's 66.1 percent.

The dumped information could have been damaging, as it appeared just hours before a 44-hour, government-mandated media ban on any campaigning or related coverage went into effect.

But Macron's campaign En Marche! - "on the move" - appeared to be ready, and it quickly confirmed that its systems had been breached while downplaying the leaks. It also noted the campaign had "consistently been targeted by such initiatives" in recent months and that the leaks would reveal only "lawful" activities.

The dumped data consisted of "diverse documents, such as emails, accounting documents and contracts" hacked several weeks ago from the personal and professional accounts of some of the movement's staffers, according to a statement issued by En Marche.

"Coming in the final hours of the campaign, this operation clearly amounts to democratic destabilization as was seen in the United States," the campaign said.

Document Dump: Campaign Minutiae

Dumping data can serve as a sleight of hand by attackers, allowing them to suggest that the private information was hidden to mask signs of "corruption." The sudden appearance of massive quantities of private, internal communications related to Hillary Clinton's U.S. presidential campaign last year, for example, was seized on by right-leaning media organizations and commentators as evidence of her campaign's wrongdoing. But many commentators said that French media reports have been awash with stories of U.S. election interference and that French voters refused to take the bait.

Furthermore, security experts say there is no smoking gun in the Macron dump that suggests any wrongdoing on the part of the campaign. Indeed, analyses of the emails conducted by various security experts has found that they are all between Macron's staff and consumed, as one would hope, with the day-to-day minutiae of running a presidential campaign, including requests for training and time off.

"I have searched through a lot of large email drops before, and this is right up there with the boringest of them," says Matt Tait, a former information security specialist for Britain's GCHQ intelligence agency who's now the CEO of U.K.-based consultancy Capital Alpha Security.

This wasn't the first time Macron's campaign was so targeted (see Russian Hackers Said to Target French Presidential Candidate). Just prior to last month's presidential election debates in France, supposed leaks from a "Latvian" poster suggested that Macron had secret, offshore bank accounts. "We will soon have swiftnet logs going back months and will eventually decode Macron's web of corruption," the "Latvian" said in a post to 4chan, according to a report published by Trend Micro.

On April 24, Trend Micro also detailed phishing attacks against Macron's campaign by APT28 that began earlier this year. The phishing campaign employed a lookalike - but fake - web server address "" in attack emails.

Trend Micro said the attack infrastructure used to target Macron's campaign was also used in attacks against Germany's Christian Democratic Union political party, the Turkish and Montenegro parliaments, the World Doping Agency, nuclear power generator Westinghouse Electric Company as well as the Democratic National Committee and Clinton campaign chairman John Podesta.

U.S. intelligence agencies in January alleged Russian President Vladimir Putin had directly authorized the campaign against Clinton.

Evidence Points to APT28

Security experts say metadata associated with the Macron dump has Russian fingerprints. As noted by Capital Alpha Security's Matt Tait, who tweets as @pwnallthethings, the Macron dump was uploaded to by a user with the email address ""

That same webmail service was used in 2016 to register an email address that was tied to phishing attacks against the German Christian Democratic Union, which is the political party of the Chancellor of Germany, Angela Merkel. According to an analysis from security firm Trend Micro, the attackers again used decoy webmail server addresses in their phishing attacks.

Metadata associated with the dumped documents also suggests Russian involvement.

French security researcher Matt Suiche, managing director of Dubai-based incident response firm Comae Technologies, says some of the dumped documents were edited using versions of Microsoft Word set to use the Russian language.

Many of those documents - some of which were 10 years old - were edited by a Russian-named user during a single four-minute period on March 27, according to Chris Doman, a researcher at security firm AlienVault. "It suggests the edits may be following their theft, not before," he says in a blog post.

But he notes that it's unclear if the documents dumped May 5 were stolen in the March and April attacks against the Macron campaign highlighted by Trend Micro.

WikiLeaks Spots Russian Company Name

After links to the dumped Macron campaign information were posted to Pastebin May 5, WikiLeaks was quick to post its own links to the information, as well as links to magnet links to BitTorrent files. Subsequently, however, WikiLeaks noted that it too found metadata with Russian ties.

As WikiLeaks tweeted: "#MacronLeaks assessment update: several Office files have Cyrillic meta data. Unclear if by design, incompetence, or Slavic employee."

WikiLeaks, however, suggested its findings are open to multiple interpretations. "False flag, incompetence, intentional Russian signaling, or happenstance," it offered as possible explanations.

Russian government news agency Sputnik - earlier this year branded as a "Kremlin propaganda machine" by NATO - reported on the WikiLeaks findings, including the mention of "Evrika," which WikiLeaks said had obtained "FSB security certificate to protect state secrets."

Some analysts have noted the Sputnik appeared to be attempting to play up the fact of the leaks, potentially in an effort to try and destabilize the Macron campaign.

Dump Contained Fabricated Information

At least some of the information contained in the Macron campaign dump is fabricated - and frequently ridiculous - according to reviews by information security and operational security experts such as the researcher known as "the Grugq." For example, one leaked email suggests that an elderly French politician had used bitcoin to buy crystal meth and then have it shipped to the Assembl&'eacutee Nationale - France's lower house of Parliament.

How did fabricated information end up in the documents and communications that were supposedly obtained from the breach of Macron campaign staffers personal and work email accounts and systems?

Thomas Rid, a professor of war studies at King's College London, says Soviet propaganda operators' preference was to pepper largely legitimate information with falsehoods. "Historic note: Soviet bloc disinformation operators considered the best fact/forgery mix to be [about] 90 percent fact, [about] 10 percent fake," Rid says via Twitter.

But the provenance of the information contained in the Macron campaign dump isn't clear. Macron's campaign, meanwhile, has suggested that it faked out attackers by navigating to phishing pages and entering false information.

"You can flood these [phishing] addresses with multiple passwords and log-ins, true ones, false ones, so the people behind them use up a lot of time trying to figure them out," Mounir Mahjoubi, who heads Macron's digital team, told The Daily Beast.

Rid, however, questions the effectiveness of this type of disinformation campaign or the suggestion that the Macron campaign somehow "outsmarted" their attackers.

"Entering false passwords on phishing sites is neither an effective response nor [is] 'planting bogus information,'" Rid says via Twitter. "There's *no evidence* the Macron campaign 'outsmarted' or deceived anybody. You can't 'sign on' to APT28 phishing sites & 'plant' information."

Rid says it's also not clear what the leak - made less than 48 hours before voting began - was meant to achieve, saying it was likely too late to be effective. If the leak was authorized and launched by an intelligence agency, Rid says via Twitter that "it seems to be ... brazen but very badly executed."

Obviously, with Macron's win, the campaign also appears to have failed.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.