A growing list of indicators point to a hack squad associated with the Russian GRU.
The same Putin-backed hacking group that targeted the Democratic National Committee last year has been targeting French presidential candidate Emmanuel Macron, according to multiple cybersecurity groups.
On Friday, Macron claimed that his campaign had suffered a “massive and coordinated” data theft and smear campaign, some 9 gigabytes of data stolen and published to an anonymous sharing site called Pastebin.
No hard evidence has yet emerged linking the targeting to the doc dump. But over several weeks leading to the attack on Macron’s campaign, several firms in the private security community issued warnings. On April 25, cybersecurity group Trend Micro claimed a group known as APT 28, or Fancy Bear and Pawn Storm, was actively targeting the Macron campaign with bogus emails to convince campaign higher-ups to click on links.
The evidence: On March 15, operators working from IP addresses associated with APT 28 were registering domain names that were related to the Macron campaign, such as onedrive-en-marche.fr. Registering phony email domains would allow the operatives to send emails to targeted campaign workers that appear to be from the campaign. A cybersecurity professional with direct knowledge of the hack told Defense One that the same Putin-backed hacking group that targeted the DNC had also been targeting Macron. But they could not say with certainty that those actors were the same individuals who put the documents on the Pastebin site, (or if the documents on Pastebin were even authentic.)
Of particular interest in the Macron case is a new tactic: rather than luring the victim to a link and then trying to convince them to give up his or her password, APT 28 was targeting the Macron campaign with a lure to fake computer applications that looked like they actually came from Google.This time the victims weren’t prompted to give up their passwords. Instead they could simply authorize a program that looked like it came from a trusted provider to do what that program (looks like) it is supposed to do. The scam is called Open Authentication or an OAuth attack. “The big advantage is that users don’t have to reveal their password to the third party. Instead the third party applications get a token that can be used for authentication,” Trend Micro says in their report.
Greg Martin, CEO of the firm JASK, told Business Insider that this represented a clear escalation of tactics. "It's a new style of attack … very deadly and unprecedented … It's the first time we have seen this in the wild."
Vitali Kremez, director of research at the cybersecurity firm Flashpoint, also offered cautious analysis to the New York Times on Friday. “The key goals and objectives of the campaign appear to be to undermine Macron’s presidential candidacy and cast doubt on the democratic electoral process in general.”
He later told Reuters that APT 28 was indeed behind the attack after determining that APT 28 related entities had “registered decoy internet addresses to mimic the name of En Marche … including onedrive-en-marche.fr and mail-en-marche.fr.”
The event follows months of warnings about Kremlin influence and information operations allegedly targeting the French election for the benefit Marine Le Pen’s National Front Party. On January 8, France’s Minister of Defense Jean-Yves Le Drian told French newspapers that “one cannot be naive,” about the likelihood of Kremlin involvement to aid Le Pen, who has supported a closer relationship with Putin and a weakening of the EU.
Defense One first reported in January that the group sometimes known as Fancy Bear, APT 28, and by other names was actively targeting the French election with the same email tactics that they employed against previous targets, including, most famously the DNC.
It’s not the first time Kremlin-backed hackers have targeted France. In April of 2015, the same group, posing as ISIS-linked Islamic extremists and calling itself the Cyber Caliphate also attacked French television station TV5 Monde. The intent of that attack remains unclear.
Authorities and investigators have yet to make public hard forensic evidence linking the group to the hack on Macron’s campaign.
Today, in response to Macron’s claim, TrendMicro offered a clarifying statement. “Trend Micro does not have evidence that this is associated with the group known as Pawn Storm (also APT28 and other names). The techniques used in this case seem to be similar to previous attacks. Without further evidence, it is extremely difficult to attribute this hack to any particular person or group."
In the meantime, some analysis suggests that portions of the 9 gigabyte document dump, or at least portions of it that are spreading on social media, may be forged.
The mixing of fake documents with stolen real documents, and then dumping both on the public to achieve a better political or market effect, is something that members of the intelligence community have worried about publicly for years. Kremlin-backed actors have done it before, but not through Wikileaks. Last August, hackers dumped a series of documents on the sites CyberBerkut and DC Leaks, both of which the intelligence community has linked to Putin's government. It was an attempt to smear a Putin political opponent by connecting him to George Soros. Problem is, the docs didn't match, suggesting a forgery.
"In our election, and because of the decentralization of our voting system, my gravest fear was not that the Russians would hack the actual voting machines. Most were not online and many have paper trails. Nonetheless, I continue to think that any voter registrar that doesn't maintain a paper trail is guilty of negligence," Rep Adam Schiff, D-Calif, the ranking member on the House Intelligence Committee, said in a statement. "Instead, I worried about the Russians dumping forged documents among the real, or worse still, adding fake paragraphs into real emails. Imagine the impact on an election if hackers inserted false information into a real email that suggested illegality by a candidate, and then published the document. If this was done close to an election, there would be no opportunity to disprove the forgery and who would believe the victim even if they could. In France with Macron's campaign, that nightmare scenario may be playing out, with hackers reportedly mixing fake documents in with the real and then dumping them. While we are still awaiting confirmation from French officials that there are indeed forgeries being dumped along with authentic stolen documents, this would represent yet another dangerous escalation of cyber interference in a Western nation's democracy."
Wikileaks was quick to publicize the Pastebin dump through its Twitter account. French authorities sought to limit the damage. “The dissemination of such data, which have been fraudulently obtained and in all likelihood may have been mingled with false information, is liable to be classified as a criminal offence,” France’s electoral commission said in a statement.
Defense One reached out to the Central Intelligence Agency. Mike Pompeo, the agency’s director, recently referred to Wikileaks as a “a non-state hostile intelligence service.” The agency had no comment.
As of Sunday evening, French election results suggest Macron triumphed easily.