Wikileaks and far-right activists helped facilitate the spread of the “MacronLeaks” documents on social media as France entered a legally mandated pre-election media blackout ahead of Sunday’s presidential vote.

Advertising Read more

Just hours before the official end of campaigning at midnight on Friday night, an anonymous source posted links to the documents on 4chan, an online forum popular with far-right activists. An estimated 9 gigabytes of data had been shared on the file-sharing site Pastebin under a profile called “EMLeaks”.

Macron's campaign confirmed in a statement publicised minutes before the midnight moratorium came into effect that it had been the victim of a “massive” hack. "The documents "were obtained several weeks ago after the personal and professional mailboxes of several leaders of the movement were hacked", the En Marche! campaign said, adding that a number of falsified documents were also being circulated.

But beyond confirming the hack, the campaign’s response to the leaked documents was necessarily muted due to media laws prohibiting “any message that may be categorised as electoral propaganda” in the 44 hours before polls closed at 8pm on Sunday.

French electoral authorities were quick to warn that anyone sharing the leaked information could be committing a crime. "The dissemination of such data, which has been fraudulently obtained and in all likelihood may be mixed with false information, is liable to be classified as a criminal offence," the electoral commission said.

Communiqué : Suites de l’attaque informatique qu’a subie l’équipe de campagne de M. Macron pic.twitter.com/3h1XDlMgWB — CNCCEP (@cnccep) 6 mai 2017

France’s electoral authorities said after a meeting on Saturday that the leaked data was likely obtained from the "information systems and mail accounts” of Macron’s campaign managers.

The commission urged both French media and private citizens not to share the leaked documents in order to preserve “the integrity of the vote".

WikiLeaks and bots take the bait

Brussels-based Nicolas Vanderbiest, a researcher at the Catholic University of Louvain and a specialist on social media influence, tweeted a map showing how the Macron leaks propagated on Twitter, with both Wikileaks and alt-right activist Jack Posobiec playing dominant roles.

"It's just incredible what's happening," Vanderbiest told AFP.

La cartographie animée temporaire et rapide de #MacronLeaks sans les explications pic.twitter.com/aGrW86KEoh — Nicolas Vanderbiest (@Nico_VanderB) 5 mai 2017

Ben Nimmo, an information security fellow at the Atlantic Council’s Digital Forensic Research Lab (DFRLab), found that the #MacronLeaks hashtag had been used in almost 47,000 tweets within the 3.5 hours after it was first used by Posobiec, who writes for Canada's far-right Rebel media outlet and who supported both Donald Trump and France’s Marine Le Pen.

Posobiec’s first tweet on the Macron documents was sent out to his more than 100,000 Twitter followers at 18:49 GMT. It was retweeted 15 times within one minute and 87 times in five minutes, "suggesting the use of automated bots to amplify the signal", Nimmo and other DFRLab researchers wrote in an article for Medium.

“Between 18:50 UTC (GMT) and 22:20 UTC on Friday, my machine scan showed 46,928 tweets were posted on the hashtag #MacronLeaks,” Nimmo said in an email – in other words, more than 223 tweets per minute for three and a half hours.

The DFRLab said the #MacronLeaks hashtag was first dominated by English-language tweets but eventually migrated from the United States to France, where it was picked up by Le Pen supporters. The vice-president of Le Pen's National Front party, Florian Philippot, eventually weighed in, asking: "Will the #Macronleaks tell us something that investigative journalism deliberately killed?"

"[T]he data indicates that the #MacronLeaks hashtag was initially launched in the US and was driven by a cluster of alt-right accounts and probable bots," the researchers wrote. "It was then picked up by Le Pen supporters, and probable bots, and passed on to the French audience."

But Nimmo said it was WikiLeaks that gave the Macron leaks its largest Twitter boost, tweeting about the documents at least 15 times to the group's 4.6 million followers. One tweet noted that a leaked document contained some cyrillic metadata.



#MacronLeaks assessment update: several Office files have Cyrillic meta data. Unclear if by design, incompetence, or Slavic employee. pic.twitter.com/4ge2IMmtHj — WikiLeaks (@wikileaks) May 6, 2017

Vitali Kremez, director of research at US cyber security firm Flashpoint, told Reuters late on Friday that an initial review of the documents indicates that the APT 28 hacking collective may have been behind the leak. Also known as Pawn Storm and Fancy Bear among other names, several Western intelligence agencies believe the group has ties to Russia’s GRU military intelligence agency.

Last month, APT 28 registered decoy Internet address that resembled the names of En Marche! domains – including "onedrive-en-marche.fr" and "mail-en-marche.fr" – which it likely used to send phishing emails in an attempt to hack the campaign’s computers, Kremez said.

The same collective is believed to have been behind the hacks and subsequent leaks of US Democratic Party emails last year. But Kremez noted that the hackers’ modus operandi appears to be evolving into a more targeted technique.

“If indeed driven by Moscow, this leak appears to be a significant escalation over the previous Russian operations aimed at the US presidential election, expanding the approach and scope of effort from simple espionage efforts towards more direct attempts to sway the outcome,” Reuters quoted Kremez as saying.

In a report released in late April, Japanese cyber-security firm Trend Micro noted that the hacking collective had been trying for months to hack into the accounts of senior Macron campaign officials to access its email exchanges. Macron’s campaign confirmed that it had been the target of at least five advanced cyber-attack operations since January.

"We are 99 percent sure that the attacks come from Russia," said Loïc Guézo, Trend Micro’s strategy director for southern Europe, in comments to FRANCE 24 soon after the report was released.

Counterstrike?

But Macron's team may have found a way to beat the hackers at their own game. In an April interview with The Daily Beast, Mounir Mahjoubi, the campaign's digital communications expert, noted that it was possible to launch a “counteroffensive” against phishing attempts.

“You can flood these addresses with multiple passwords and log-ins – true ones, false ones – so the people behind them use up a lot of time trying to figure them out,” Mahjoubi said.

This may have been why campaign staff were confident that some of the leaked documents were fakes – because they had planted them themselves.

The Kremlin has repeatedly dismissed allegations that Russia was behind activities designed to influence voting. Spokesman Dmitri Peskov reiterated last month that Russia “never interfered” in foreign elections.

In late April, the Macron campaign banned the Russian state news agencies RT (formerly Russia Today) and Sputnik from following him on the campaign trail, accusing them of peddling "propaganda" and misinformation.

Sputnik has in the past said that Macron could be a "US agent" lobbying for the banks and has hinted that he is gay.

The agencies later said they would pursue legal action against Macron over his accusations that they actively spread the "fake news" that he has an offshore bank account in the Bahamas. "We are tired of their lies. We will sue them," chief editor Margarita Simonyan said in a statement on Friday.

Some Russian media went on the offensive again in their coverage of Macron's electoral victory on Monday. Russian tabloid Komsomolskaya Pravda said France deserves the "globalist hell" that surely awaits it after electing Macron, who it suggested was a charming "psychopath" who would ultimately prove a danger to France.



Daily newsletterReceive essential international news every morning Subscribe