Macron hackers linked to Russian-affiliated group behind US attack

Cybersecurity firms think group with ties to Russian intelligence was behind leak of emails and other documents belonging to French election winner’s campaign team
Emmanuel Macron arrives on stage at the Louvre after winning Sunday’s presidential election.

The hackers behind a “massive and coordinated” attack on the campaign of France’s president-elect, Emmanuel Macron, have been linked by a number of cybersecurity research firms to the same Russian-affiliated group blamed for attacking the Democratic party shortly before the US election.

Tens of thousands of internal emails and other documents were released online overnight on Friday as the midnight deadline to halt campaigning in the French election passed.

New York’s Flashpoint Intelligence and Tokyo-based Trend Micro have shared intelligence that suggests that the hacking group known variously as Advanced Persistent Threat 28, Fancy Bear and Pawn Storm was responsible. The group has been liked with the GRU, the Russian military intelligence directorate.

Vitali Kremez, director of research at Flashpoint, said his review indicated APT 28 was behind the leak. APT28 last month registered decoy internet addresses to mimic the name of Macron’s movement, En Marche!, which it probably used to send tainted emails to hack into the campaign’s computers, Kremez said. Those domains include and

“If indeed driven by Moscow, this leak appears to be a significant escalation over the previous Russian operations aimed at the US presidential election, expanding the approach and scope of effort from simple espionage efforts towards more direct attempts to sway the outcome,” Kremez said.

Trend Micro similarly identified links between the hacks, with the same organisation registering a phishing address used in the DNC hacks in April 2016 and the Macron address in March this year.

That organisation had also registered domain names with the apparent purpose of stealing details from Germany’s CDU and KAS, and from Montenegrin members of parliament.

Macron, an independent centrist, won Sunday’s runoff election against the far-right Marine Le Pen by a 66% to 34% margin.

EU capitals expressed relief that France had proven not to be the next domino to fall after Britain’s Brexit vote and Donald Trump’s election as US president. A congratulatory statement from the Kremlin, which had been widely seen as backing Le Pen, urged Macron to work with Russia to “overcome mutual mistrust and unite to ensure international stability and security”.

A number of factors appear to have lessened the impact of the hacks, from the late date when the stolen data was released – two days before Sunday’s second round runoff vote – to the rapid response of the French electoral authorities.

The presidential electoral authority, the CNCCEP, warned broadcasters and the public to avoid sharing details gleaned from the documents, 9GB of which were posted by a user calling themselves Emleaks to the anonymous data-sharing site Pastebin.

A third factor diminishing the impact of the hacks may have been the response of the Macron campaign, which intervened an hour before the legally imposed blackout on public statements from election candidates to report that many of the documents being shared were fake.

The Daily Beast claimed that rather than being faked by the hackers or those reposting the data, the bogus information had been planted by the Macron campaign, which had become aware it was the target of a phishing campaign and flooded the hackers with false information.

Despite the strong technical abilities believed to be possessed by APT 28, its primary route of attack is a simple yet effective method known as spear phishing: creating fake login pages targeted at individuals in an attempt to encourage them to enter their usernames and passwords, giving the hackers access to confidential information.

They can then repeat the process, using the confidential information to craft even more convincing phishing pages, until they have stolen significant amounts of data.

The Macron campaign reportedly turned this strategy around by flooding “these addresses with multiple passwords and logins, true ones, false ones, so the people behind them use up a lot of time trying to figure them out”, according to Mounir Mahjoubi, the head of Macron’s digital team.


Post a Comment