Security firms think group with ties to Russian intelligence behind leak of emails and other documents belonging to French election winner’s campaign team

The hackers behind a “massive and coordinated” attack on the campaign of France’s president-elect, Emmanuel Macron, have been linked by a number of cybersecurity research firms to the Russian-affiliated group blamed for attacking the Democratic party shortly before the US election.

Tens of thousands of internal emails and other documents were released online overnight on Friday as the midnight deadline to halt campaigning in the French election passed. According to the head of Macron’s digital team, Mounir Mahjoubi, “five entire mailboxes” were “stolen”, with many of the accounts being personal Gmail mailboxes.

New York’s Flashpoint and Tokyo-based Trend Micro have shared intelligence that suggests that the hacking group known variously as Advanced Persistent Threat 28, Fancy Bear and Pawn Storm was responsible. The group has been linked with the GRU, the Russian military intelligence directorate.

Macron, an independent centrist, won Sunday’s runoff election against the far-right Marine Le Pen by a 66% to 34% margin. A congratulatory statement from the Kremlin, which had been widely seen as backing Le Pen, urged Macron to work with Russia to “overcome mutual mistrust and unite to ensure international stability and security”.

In an interview on Monday with Radio France, Mahjoubi sought to play down the impact of the data release, saying there were “no secrets” in the emails. “You will find jokes, you will find tens of thousands of invoices from suppliers … And you will find hundreds of exchanges on the manifesto, on organising events. In fact, all that makes a campaign.”

He said, however, that some among the thousands of published documents were fake. “There are files that have been added to these archives … fake emails that have been added.”

Despite the strong technical abilities believed to be possessed by APT 28, its primary route of attack is a simple yet effective method known as spear phishing: creating fake login pages targeted at individuals in an attempt to encourage them to enter their usernames and passwords, giving the hackers access to confidential information. They can then repeat the process, using the confidential information to craft even more convincing phishing pages, until they have stolen significant amounts of data.



Play Video 3:08 Who is the new French president, Emmanuel Macron? – video

Vitali Kremez of Flashpoint said his review indicated APT 28 was behind the leak. As part of the group’s spear phishing technique, it needs to register and control web addresses which could plausibly fool a target into thinking they were logging into a legitimate website. In the US elections, one such address (“myaccount.google.com-changepasswordmyaccount-idx8jxcn4ufdmncudd.gq”) was designed to look like an official Google page.

Last month, APT 28 registered decoy internet addresses to mimic the name of Macron’s movement, En Marche!, which it probably used to send emails to hack into the campaign’s computers, Kremez said. Those domains include onedrive-en-marche.fr, designed to appear like an official Microsoft address, and mail-en-marche.fr, which pretended to be a webmail site.

“If indeed driven by Moscow, this leak appears to be a significant escalation over the previous Russian operations aimed at the US presidential election, expanding the approach and scope of effort from simple espionage efforts towards more direct attempts to sway the outcome,” Kremez said.

Trend Micro also identified links between the hacks, noting that the same organisation registered the fake Google address used in the hacks of the Democratic party’s national committee in April 2016 and the Macron address in March this year. That organisation had also registered domain names with the apparent purpose of stealing details from Germany’s Christian Democratic Union, through the party’s foundation arm Kas, and from MPs in Montenegro, where the government said last year said a coup plot had aimed at derailing the country’s elections.

Ryan Kalember of information security firm Proofpoint said there was evidence that En Marche!’s attacker had Russian connections. “Some of the metadata from this breach clearly indicates that certain documents, such as those with Macron’s ‘Bahamian bank accounts’, were edited on computers with Russian language operating systems,” he said.

Kalember said that was also a warning that some of the claimed leaked documents may be fake. “It’s absolutely critical that French citizens confirm the legitimacy of the news they are reading as this story develops. Make sure it is a reputable outlet and check multiple sources to confirm accuracy.”

A number of factors appear to have lessened the impact of the hacks, from the late date when the stolen data was released – two days before Sunday’s runoff vote – to the rapid response of the French electoral authorities.



The presidential electoral authority, the CNCCEP, warned broadcasters and the public to avoid sharing details gleaned from the documents, 9GB of which were posted by a user calling themselves Emleaks to the anonymous data-sharing site Pastebin.

Another factor may have been the response of the Macron campaignIt intervened an hour before the legally imposed blackout on public statements from election candidates to report that many of the documents being shared were fake.

The Daily Beast claimed that rather than being faked by the hackers or those reposting the data, the bogus information had been planted by the Macron campaign, which had become aware it was the target of a phishing campaign and flooded the hackers with false information.

The Macron campaign reportedly turned the spear phishing strategy against the attackers, by flooding “these addresses with multiple passwords and logins, true ones, false ones, so the people behind them use up a lot of time trying to figure them out”, according to Mahjoubi. As well as the fake documents that he alleged had been added by the hackers, “there is also information that we had sent in counter-retaliation for phishing attempts”, he told Radio France.