Security Experts:

Who Hacked French President-elect Emmanuel Macron's Campaign?

One thing is clear. The campaign of French President-elect Emmanuel Macron was hacked prior to the French presidential election this last Sunday -- and the finger was immediately pointed at Russia's APT28 (Fancy Bear). Russia has been caught meddling in western politics once again.

Evidence of APT28 involvement seems to come from three sources: the U.S. National Security Agency (NSA), security researchers, and circumstantial. The NSA was quick to blame Russia via a Senate Armed Services Committee hearing on Tuesday this week. The head of the NSA, Admiral Mike Rogers, told the committee that the NSA had warned its French counterparts at the time of the hack: "Look, we're watching the Russians, we're seeing them penetrate some of your infrastructure." The Russians are here.

Evidence from security researchers focuses on two areas: phishing sites and leaked document metadata. One phishing site, apparently created by APT28 on March 25, 2017 and clearly designed for the Macron campaign, 'onedrive-en-marche-dot-fr', was reported by Trend Micro in April. Other sites apparently tied to the APT28 infrastructures include portal-office-dot-fr, accounts-office-dot-fr and mail-en-marche-dot-fr -- and another with the surprising name of totally-legit-cloud-dot-email.

The document evidence includes the discovery of Cyrillic characters within some documents apparently leaked by the hackers. WikiLeaks tweeted on Saturday (the day before the French presidential vote), "#MacronLeaks assessment update: several Office files have Cyrillic meta data..." The obvious assumption is that Russian APT hackers altered the files before leaking them.

But while clearly suggesting possible APT28 involvement in the hack, French security researcher x0rz has demonstrated that neither of these can be taken as actual proof. In a blog post on Tuesday, he demonstrated the ease with which anybody could edit metadata and pretend to be anyone. He went further to explain how "I setup my own domain mimicking some APT28 artefacts: totally-legit-cloud-dot-email that has been registered using the same information as another APT28 phishing domain used during the attack on EM staff... This domain (that I own) is now linked with actual APT28 infrastructure according to some threat intelligence OSINT tools" (eg, threatcrowd.org).

In other words, anyone could have established the APT28-related phishing domains, and anyone could have planted Cyrillic characters in the metadata. x0rz believes that all this proves is that it might have been APT28, but it might not have been APT28.

The circumstantial evidence is that the hack follows the basic pattern used by (what everybody believes to have been) APT28 in the US election hacks: phish for the emails of the candidate you want to lose, and then leak them. This evidence claims that since this is what APT28 does, and this is what Russia would want, then therefore this was done by Russia.

But the parallel is not perfect. The Macron hack occurred far later in the election campaign than the DNC hack; the phishing emails appear to be far clumsier; and the email leak occurred too late to have any effect on the election outcome.

The Macron campaign's answer to this is that they were expecting hackers, that they knew they would not be able to prevent a hack, and they prepared for it with what amounts to the 'deception defense'. The New York Times reported, "'We created false accounts, with false content, as traps. We did this massively, to create the obligation for them to verify, to determine whether it was a real account,' Mr. Mahjoubi [the campaign's digital director] said. 'I don't think we prevented them. We just slowed them down,' he said. 'Even if it made them lose one minute, we're happy'."

SecurityWeek talked to Kevin Eley, VP EMEA at TrapX, about the deception defense. In full, it amounts to the installation of a honeypot-like platform within the customer's infrastructure. Attackers are diverted towards the false shares, false databases, false structure -- and as soon as anything attempts to access them, the existence of an intruder is confirmed. The intrusion can then be tracked back to its source and the vulnerability closed. And if the intruder does manage to exfiltrate any data, it is false data.

"In the Macron hack," he told SecurityWeek, "the deception seems to be at the data level only." He confirmed that although this could not have been achieved by the campaign on the fly, it could have been done well in advance anticipating a hack. In other words, it can explain but does not prove why the leak occurred so late -- the attackers simply didn't know what to leak.

Just to confuse the issue further, Tyler Durden, discussing the Shadow Brokers' most recent leaks, writes today on zerohedge, "Inside the NSA dump among many other findings, we find hundreds of NSA attacks on China, as well as penetration attempts in which the NSA 'pretends' to be China so one wonders how difficult it would be for the NSA to pretend they are, oh, say Russia?"

So, who did hack Macron? The obvious conclusion is Russia; because Russia would benefit most from a Le Pen victory. But the timing of the document leaks was far too late to benefit Le Pen, and would more likely benefit Macron. The Occupy Movement could alternatively say that the 1% would benefit from an ex-Rothschild banker (Macron); just as they would benefit from a Republican president and a City of London not controlled by Brussels. It is not just Russia that has an incentive in meddling.

"As far as attribution related to the hacks Macron's campaign suffered, or the origins of the stolen documents," F-Secure researcher Andy Patel told SecurityWeek, "fingers are being pointed based on 'who would/wouldn't do something like this?' by people who don't have access to enough evidence to be 100% certain of anything."

The bottom line is that we do not know who hacked Macron, nor why. It might have had nothing to with discrediting Macron per se, but merely to add to the current confusion over real and fake news on the internet. "If it's information warfare -- rather than cyber warfare," suggests F-Secure security advisor Sean Sullivan, "then the point is not stealth. It's to make the point that your systems are under attack, your options are limited, and you always need to be on your guard. And there's nothing you or your leaders can do to stop us!

"Nothing is certain. But that's probably also exactly the goal of the information warfare, to get you to believe in nothing."

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.