Analyzing a counter intelligence cyber operation: How Macron just changed cyber security forever

34,522 reads

Up until today I could only look up to Russia (whether I agree with them or not) for conducting advanced information operations in cyber. Now, I can look up to Macron and the anonymous security professionals behind him and admire them. Finally, someone uses cyber deception to beat attackers at their own game. I am not alone, and Cymmetria’s ideas have been vindicated yet again.

Let’s quickly go over what happened, and then analyze the operation and why it is so… well, cool.

Important: We don’t know much at this stage, so I will assume a lot. While reading the story please consider it could all be an elaborate deception, and never happened.

But remember, regardless of what actually happened, one of the major lessons of cyber security, as learned in Estonia a decade ago and endless times since, is that what people perceive matters as much if not more so than what the technical details of any attack may have actually been.

And that further, attacks serve a purpose. The motivation can be political or otherwise, but they must be analyzed in context.

Further, as shown in this analysis, the power of cyber deception is in increasing the attackers’ costs. The burden of anomaly detection, figuring out what’s real and what’s not — is now on them. A few fake docs killed the election hack. Future attackers will have to sift through data. Cyber deception inflicts economic costs on attackers.

NOTE: Significant updates to this post will be marked with [Updated].

What supposedly happened

Just before the French elections, the long anticipated news hit. Emmanuel Macron, candidate for president of France, suffered a data breach and the data was dumped for the public to download.

According to this article which I’ll quote:

In the last hours before midnight on Friday, just before a campaigning blackout imposed by French electoral law in anticipation of the crucial vote on Sunday, somebody dumped nine gigabytes of emails and documents supposedly purloined from the campaign of leading presidential candidate Emmanuel Macron.

Macron learned the lessons of the Hillary Clinton campaign, and immediately took control of the messaging and PR:

Literally at the 11th hour, before the blackout would silence it, the Macron campaign issued a statement saying it had been hacked and many of the documents that were dumped on the American 4Chan site and re-posted by Wikileaks were fakes.

Calling the documents into question [Updated]

Wikileaks in their own statement doubted Macron’s ability to go over the documents so fast, but it didn’t matter. That narrative controlled the short news cycle. Macron cast doubt on the reports and showed leadership, actually providing reporters data which they could use to write their stories. That by itself is a lesson for the future.

If all Macron did was throw doubt on the validity of the leaks, that’s already a powerful win. Wikileaks themselves cast a doubt on the source:

#MacronLeaks assessment update: several Office files have Cyrillic meta data. Unclear if by design, incompetence, or Slavic employee.

There were few such marked documents, all from a limited time period. Regardless — they served their purpose in timelines to assist Macron in his PR crisis response.

The effectiveness of a few lonely fake documents [Updated]

Marine Le Pen’s supporters started to make PR use of “all these damning emails”, although many of them looked like bots using Google translated messages, When a few of the documents were displayed as ridiculous, which stopped them short. Some of the documents in the data dump were obvious fakes, and started popping up over French social media.

Creating fake documents that look real, at scale is hard. This case shows us we don’t necessarily need to.

Effectively, the next time a threat actor attempts this, they may have to sift through all the data first. Cyber deception increases the cost of the attacker, shifting the economics of cyber security and thus changing the asymmetry between attacker and defender.

Taking active measures

This analysis however misses a critical aspect of what might have happened. A possible false flag operation possibly by Macron, possibly by someone else.

This is where it gets really interesting.

Ah, but there’s the rub. As reported by The Daily Beast, part of the Macron campaign strategy against Fancy Bear (also known as Pawn Storm and Apt28) was to sign on to the phishing pages and plant bogus information.

“You can flood these [phishing] addresses with multiple passwords and log-ins, true ones, false ones, so the people behind them use up a lot of time trying to figure them out,” Mounir Mahjoubi, the head of Macron’s digital team, told The Daily Beast for its earlier article on this subject.

So Macron’s people, and specifically Mounir Mahjoubi, who I want to make sure and meet one day, claim to have fed APT28 false data in a “counteroffensive”. Maybe they have’ maybe they haven’t. Maybe they did something else entirely. Maybe it wasn’t them.

Regardless, their PR win as shown above — planned or not — with or without cyber, was in the bag.

Assuming that there was an attack, and that this was actually APT28, and then that this comment by Mr. Mahjoubi (or who knows who) didn’t plant a false flag by himself to make Macron’s PR look more authentic by blaming the now infamous Fancy Bear, then under this assumption we can see that Macron prepared for this in advance, studied the adversary attacking his systems, and proceeded to feed it the fake documents. Well then, AWESOME!

The comment about phishing is a bit odd technically. I’d have expected them to feed the exfiltration itself, or run the phishing emails on computers they prepared. But hey, it’s a mainstream news article so let’s give them the benefit of the doubt — for now. We can’t expect technical accuracy.

Some further technical information can be found in this article (quoted below), which sheds more light on what was done. Similar, you may note, to the technique some banks use to counter regular phishing attacks (as opposed to sprearphishing), seeding the phishing sites with fake credentials they could monitor for access.

The Macron campaign, like Clinton’s, was frequently targeted by phishing attacks which would send emails with links to copies of credible-looking log-in screens with subtle differences in the web addresses like using dots rather than hyphens, etc. “If you speed read the URL, you can’t make the distinction,” said Mahjoubi.

Mahjoubi described the fake sign-in page as “pixel perfect,” and once a user signs in, the hackers would then have access to all of the user’s emails.

“Every week we send to the team screen-captures of all the phishing addresses we have found during the week,” Mahjoubi explained.

But the real genius was in how Mahjoubi’s team used the hacker’s techniques against them.

“You can flood these addresses with multiple passwords and log-ins, true ones, false ones, so the people behind them use up a lot of time trying to figure them out.”

This tells us one thing clearly, even though we do not fully understand what the team has done to feed APT28 / Fancy Bear disinformation, it is clear they attempted to slow them down by feeding them fake credentials. This could potentially also tip the defenders’ hand, depending on their strategic goal. Do you deny the attackers data? Do you disrupt their ability to conduct operations? Do you perhaps degrade their trustworthiness? These do not all necessarily support one another.

Taking the disinformation activity into account, one thing Wikileaks misses in their tweet above, is that if Macron’s people seeded APT28’s exfiltration with their own documents, that could mean they also planted false flags with Cyrillic, and that this wasn’t just an OPSEC failure on the supposed Russian threat actor’s part (someone planned badly, or simply made a mistake), or an employee of Macron’s who uses a Cyrillic keyboard.

Regardless, the obvious fakes in the data dump were enough to achieve the strategic goal of reducing the data dump’s success.

My main takeaway? Beyond excitement?

Cyber deception inflicts costs on the attacker, shifting the economics of cyber security and thus changing the asymmetry between attacker and defender. The burden of anomaly detection, figuring out what’s real and what’s not, is now on them.

Other takeaways:

Cyber security has been on the defensive for a very long time. Finally seeing people think like I do and take control of the battle ground, not just sitting and waiting for the adversaries to bypass our static defences, but using the attackers’ very own predictable methodologies and m.o. against them is very exciting.

If it indeed happened as described, this is the first public (!) and soon to be famous counterintelligence attempt against a cyber propaganda campaign, meant to affect a nation’s politics and policies (also may be dubbed counter maskirovka, or counter strategic maskirovka).

We had no real success or much of an idea how to counter information warfare or as it is now called, cyber warfare. Or even “fake news” for that matter. The very fact it may have happened empowers me as a defender and energizes me to keep going. Last week marked 10 years to the Estonian incident (“first Internet war”) and I wrote a story specifically on this type of propaganda affecting entire countries, populations, and elections:

https://securityledger.com/2017/04/estonia-10-years-later-lessons-learned-from-the-worlds-first-internet-war/

https://securityledger.com/2017/04/estonia-10-years-later-lessons-learned-from-the-worlds-first-internet-war/ The way they have done this is by cyber deception. My very own startup Cymmetria offers MazeRunner (available in a free version), a cyber deception platform which enables precisely this — control of the battle ground and the attackers’ information. If we can control the information our opponent collects about us, we can control their decision making process (affect their OODA loop). We could then affect where they go and how they act, detect them sooner, and neutralize them.

This story is public. There may be far more interesting stories out there. And, I seriously doubt those behind it were interested in the operation becoming public knowledge (if it indeed happened, and as described). Someone must be having a bad day. It could also be that it is not one of the few “likely suspects” who would have the ability to create such an operation, and it is in fact the first time this team has done such as thing, and in that case should be applauded, regardless of OPSEC implications for the ability to do it again now that it is public.

This being (one of the first?) the first time such an operation was mounted publicly, some of the defenders’ tools may have worked in-spite of any potential OPSEC failures and conflicting strategic goals. That does not mean we should not appreciate their work, learn from it, and adapt. The other side would. Check out my talk with Inbar Raz on APT OPSEC evolution: https://www.youtube.com/watch?v=GbpJhoYngMo

Remember: We don’t know much at this stage, so this post has a lot of assumptions.

Analysis in political context [Updated]

One thing remains clear. Cyber security, much like any other tool or weapon, servers a policy or strategic purpose. It does not often stand as a motivation by itself, and needs to be analyzed in this context. In upcoming elections, think — who may have an interest in disrupting them, and why?

Much like recently for M&A acquisitions cyber security has now become a due diligence issues, election budgets will now include a cyber security clause.

Information operations are as old as history. Why then do I rank this incident so highly?

When the APT1 report came out, it shook the world. An entire cyber security industry was “created” to combat the threat. It gave public and concrete proof. The same applies here.

There is nothing worse as a cyber security professional than going to work every morning knowing you’re going to lose. It’s a defeatist industry. Seeing a live and public example of successful resistance, which is complex and interesting, show that not only can we win, but it is as interesting, if not more so, than the attacking side.

Resources

You can find and download Cymmetria’s free community edition of its cyber deception platform, here:

https://www.cymmetria.com/

https://www.cymmetria.com/ You may also want to examine the ADHD distribution, here:

http://www.blackhillsinfosec.com/?page_id=4419

Lastly, some of us have been discussing this subject for a while now on Facebook in a tiny group. Join if you’re interested: https://www.facebook.com/groups/949960748352854/

Exciting times!

Gadi Evron.

(Twitter: @gadievron, Facebook: @gadioncyber)

#Cyberdeception #Macron #FrenchElections #propaganda #cyber #Estonia

Tags