Tracing #MacronGate

Qurium – the Media Foundation – runs VirtualRoad.org, a secure hosting provider for independent online news outlets and Human Rights organizations under threat. Part of our work is to gain a better understanding of politically motivated cyberattacks and the role that information warfare plays in online media.

These report contains our internal notes compiled during the 3rd and 10th May 2017. Due to the media attention that the case has received we are releasing our technical findings to help to attribute the media intoxication attacks during the French Presidential Elections 2017.

For more background information about the case, check the Le Monde article here

The “offshore account leak at 4chan /pol” #MacronGate

Days before the second round of elections, there were two major data leaks in the “4chan /pol” discussion Forum. The first leak is publicly known as the “offshore account in the Bahamas” (#MacronGate #MacronCacheCash) and the second as “Macroleaks” (#EMLeaks, #MacronLeaks), a large leak of data that contains many tens of thousands emails, photos, attachments up to April 24, 2017.

After the first initial leak (3rd May 2017) of the “offshore documents”, several researchers arrived to the same conclusion: the document that included a “Fax from CIBC Bank” was forged.

Two days later (5th May 2017), the “leaker” decides to upload a new “high resolution” copy to the 4chan channel.

One message from the leaker caught our attention ” also if Macron wins we’re gonna have to organize and make things happen. The French scene will be at nouveaumartel.com later”.

Where is nouveaumartel.com?

Our findings in a nutshell

First docs released: On Wednesday, 3th May 2017 (19:00:40), two PDF documents [DOC1] [DOC2] were uploaded to the mixtape{.}moe and announced in the forum 4chan from a Latvian IP High resolution doc released: Two days after, on Friday, 5th May 2017 (02:08:54) one of the documents [DOC3] is re-posted [4CHAN2] in high resolution again from a Latvian IP A domain name is mentioned: The leaker includes this message in the posting “also if Macron wins we’re gonna have to organize and make things happen. The French scene will be at nouveaumartel{.}com later.“ A domain behind Cloudflare CDN: The domain name nouveaumartel{.}com, that seem to refer to Charles Martel was registered the 19th November 2016 and hosted behind Cloudflare CDN very soon after. The website is empty but provides HTTP responses: To our knowledge the website remains empty (no content) since then but there is a HTTP 503 response (Service Unavailable) coming from the hidden server. Historical data traces: Historical data reveals that the domain was originally hosted in the IP address 185[.]61[.]149[.]9 in MAKONIX, AS52173 in Latvia. Tracing the origin: HTTP Connections to nouveaumartel{.}com returns no data but a webserver banner that corresponds to HAProxy software. Finding the origin IP address (IPv6): The website nouveaumartel{.}com backend is in the IPv6 address 2001:470:c:de6::2

Who runs nouveaumartel.com?

We got lucky!: We compiled a list of all websites actively broadcasting/writing articles about these leaks during the first days. Same hosting provider: Historical data of the domain dailystormer{.}com shows that the site was hosted in the same provider MAKONIX AS52173 in the IPs 95[.]215[.]47[.]186 (www) and 95[.]215[.]44[.]253 (bbs). A common CDN: Both sites run currently behind Cloudflare CDN. Origin Load Balancer serves both sites: In order to verify where the real location of the site nouveaumartel{.}com is, we placed a direct connection to the hidden IPv6 address 2001:470:c:de6::2 but requested the site “dailystormer{.}com” in the same address. Bump!: The positive responses confirms that in the IPv6 address where nouveaumartel{.}com it is also located the infrastructure that serves the site “dailystormer{.}com” and the Spanish version of the site “es{.}.dailystormer{.}com” Linking the IPv6 and IPv4 addresses: The old hosting IPv4 address 95[.]215[.]47[.]186 in MAKONIX remains: (1) hosting the backend of dailystormer{.}com), (2) it is the termination of the IPv6 address 2001:470:c:de6::2 and (3) hides also the location of nouveaumartel{.}com

Who runs the “hidden” IPv6 address of nouveaumartel.com?

DNS lookup reveals account name: IPv6 DNS lookup of the IPv6 address 2001:470:c:de6::2 returns: weevlos-1-pt.tunnel.tserv15.lax1.ipv6.he.net. Who provides the IPv6 address: The IPv6 prefix is announced by Hurricane Electric tunnelbroker{.}net as part of their IPv4 to IPv6 free service. Weevlos: The DNS name of the origin IPv6 address is “weevlos” and it is provided by a tunnel termination of Hurricane Electric tunnelbroker{.}net free service. The service enables to reach the IPv6 Internet by tunneling over existing IPv4 . Is the account active? The account is active and can be verified [ACCOUNT] Daily stormer: “weevlos” nick name is used by Andrew Auernheimer and he is the tech administrator of dailystormer{.}com

Links and references