Late on May 5 as the two final candidates for the French presidency were about to enter a press blackout in advance of the May 7 election, nine gigabytes of data allegedly from the campaign of Emmanuel Macron were posted on the Internet in torrents and archives. The files, which were initially distributed via links posted on 4Chan and then by WikiLeaks, had forensic metadata suggesting that Russians were behind the breach—and that a Russian government contract employee may have falsified some of the dumped documents.

Even WikiLeaks, which initially publicized the breach and defended its integrity on the organization's Twitter account, has since acknowledged that some of the metadata pointed directly to a Russian company with ties to the government:

#MacronLeaks: name of employee for Russian govt security contractor Evrika appears 9 times in metadata for "xls_cendric.rar" leak archive pic.twitter.com/jyhlmldlbL — WikiLeaks (@wikileaks) May 6, 2017

Evrika ("Eureka") ZAO is a large information technology company in St. Petersburg that does some work for the Russian government, and the group includes the Federal Security Service of the Russian Federation (FSB) among its acknowledged customers (as noted in this job listing). The company is a systems integrator, and it builds its own computer equipment and provides "integrated information security systems." The metadata in some Microsoft Office files shows the last person to have edited the files to be "Roshka Georgiy Petrovich," a current or former Evrika ZAO employee.

According to a Trend Micro report on April 25, the Macron campaign was targeted by the Pawn Storm threat group (also known as "Fancy Bear" or APT28) in a March 15 "phishing" campaign using the domain onedrive-en-marche.fr. The domain was registered by a "Johny Pinch" using a Mail.com webmail address. The same threat group's infrastructure and malware was found to be used in the breach of the Democratic National Committee in 2016, in the phishing attack targeting members of the presidential campaign of former Secretary of State Hillary Clinton, and in a number of other campaigns against political targets in the US and Germany over the past year.

The metadata attached to the upload of the Macron files also includes some identifying data with an e-mail address for the person uploading the content to archive.org:

Well this is fun pic.twitter.com/oXsH83snCS — Pwn All The Things (@pwnallthethings) May 6, 2017

The e-mail address of the uploader, frankmacher1@gmx.de, is registered with a German free webmail provider used previously in 2016 Pawn Storm / APT28 phishing attacks against the Christian Democratic Union, German Chancellor Angela Merkel's political party.

The involvement of APT28, the editing of some documents leaked by someone using a Russian version of Microsoft Office, and the attempt to spread the data through amplification in social media channels such as 4Chan, Twitter, and Facebook—where a number of new accounts posted links to the data—are all characteristics of the information operations seen during the 2016 US presidential campaign.

Ars will continue to update this story as new details become available.