Cyber experts '99% sure' Russian hackers are targeting Macron
Issued on: Modified:
The Russian cyber-spying group Pawn Storm (also known as Fancy Bear) has targeted French presidential front-runner Emmanuel Macron, according to Japanese cyber-security experts. Macron campaign officials, however, say the group has so far failed.
Barely two weeks before the critical second round of the French presidential election, fears of Russian meddling in the 2017 campaign mounted with the publication of a report accusing Pawn Storm of targeting Macron’s En Marche! (Forward!) movement, employing identical tactics used to attack the Hillary Clinton campaign during the US presidential race.
A 41-page report, “Two Years of Pawn Storm,” by the Japanese cyber-security firm Trend Micro detailed a long list of the group’s targets, including German Chancellor Angela Merkel’s Christian Democratic Union party ahead of the September German general elections.
Reports of Russian cyber attackers targeting Macron’s campaign have been circulating for months, but the publication of the Trend Micro report provided details of the dates and domains targeted. They included a March 15 attempt to acquire sensitive information and passwords, a process known as "phishing" among cyber-security experts.
Responding to the report on Wednesday, Macron’s campaign team confirmed that they had been the target of at least five advanced cyber-attack operations since January. The campaign, however, maintained that the attacks failed to gain access to sensitive material or compromise any campaign data.
"Emmanuel Macron is the only candidate in the French presidential campaign to be targeted," said an En Marche! statement released Wednesday. "It's no coincidence if Emmanuel Macron, the last remaining progressive candidate in this election, is the priority target."
Russia is known to favour Macron’s challenger, Marine Le Pen, in the French presidential race. Le Pen’s pro-Kremlin policies include opposing EU sanctions against Moscow and supporting Russian President Vladimir Putin’s Syrian ally, Bashar al-Assad. Her party has also relied on loans from Russian banks in the past.
Macron, in sharp contrast, is a liberal internationalist who has been critical of Russian foreign policy.
Campaign meets cyber-security officials
In January, a team of digital security officials from the Macron campaign visited the French cyber counter-espionage agency, ANSSI, to express concerns that their candidate was the “No. 1” target for fake news sites and cyber attacks, according to French media reports.
ANSSI is a government agency under the French defence ministry that advises public and private sector organisations about cyber-security measures.
The meeting between En Marche! and ANSSI officials followed a spate of rumours published on fake news sites as well as slanted coverage of Macron on Russian state media such as RT (formerly Russia Today) and the Sputnik news agency.
The concerns within the Macron camp led to the hiring of Mounir Mahjoubi, the former head of the French National Digital Council (CNNum), a council that advises on digital technologies.
In an interview with French weekly Journal du Dimanche in February, Mahjoubi was more cautious than his Macron campaign colleagues about cyber attacks emanating from Russian-linked groups. "There is no doubt about the frontal attacks of Sputnik and Russia Today, two Russia-funded media outlets. But for the rest, we do not know where they come from," he said.
Russia has consistently denied reports of interfering in the election campaigns of other countries.
"What [hacking] groups? From where? Why Russia? This slightly reminds me of accusations from Washington, which have been left hanging in mid-air until now and do not do their authors any credit," Kremlin spokesman Dmitry Peskov told reporters on Monday.
‘99 percent sure’ attacks are from Russia
But the authors of the latest Trend Micro report have no doubt about the origins of the phishing campaigns targeting Macron. "We are 99 percent sure that it is attacks from Russia," Loïc Guézo, Trend Micro’s strategy director for southern Europe, told FRANCE 24.
Pawn Storm – an aggressive cyber-espionage group also known as Fancy Bear, Sednit, APT28, Sofacy or Strontium – is engaged in much more than “just espionage activities”, the report notes. Over the past year, “the group attempted to influence public opinion, to influence elections, and sought contact with mainstream media with some success”.
When it came to targeting the Macron campaign, Pawn Storm’s goal appeared to be to get into the email accounts of senior campaign officials to retrieve information about the candidate – a modus operandi familiar to members of the Clinton campaign.
Cyber-security specialists at Trend Micro found four phishing domains created to try to extract information. The domain names feature plausible versions of Macron’s political movement, designed to catch campaign officials off guard. They include onedrive-en-marche.fr, portal-office.fr, mail-en-marche.fr and accounts-office.fr.
"This group set up a specific infrastructure to target Emmanuel Macron’s movement in March and April 2017," Guézo explained.
The false Internet addresses were used to trap members of the Macron team. "Hackers can, for example, send an email that seems legitimate, claiming that there is a problem with the recipients' IDs, which must be reentered by clicking on a link that points to an identification page that seems innocent but which actually makes it possible to steal the password,” he said.
Another method is to send an email that contains a link to a document trapped on the Russian attacker’s server, onedrive-en-marche.fr (which could be confused with Microsoft's Onedrive storage service). Opening the document causes a virus to be installed on the victim's computer, which can then be remote-controlled.
This is how hackers gained access to the Clinton campaign servers as well as to the World Anti-Doping Agency servers, to try to influence public opinion on the doping scandal. The defence ministries of Eastern European countries such as Poland, Hungary and Bulgaria have been targeted since 2014.
A cyber Cold War
In a December 2016 report, the US Department of Homeland Security’s cyber-security unit accused Pawn Storm – under the alternate name APT 28 – of acting on the Kremlin’s orders.
The APT 28 footprint has been on so many major cyber attacks in recent years – including an April 2015 shutdown of French media giant TV5 Monde – that experts view the group as a symbol of a cyber Cold War, combining computer piracy and online propaganda. A Financial Times report noted that US, UK, Israeli and German officials have all said they believe APT 28 is run by Russia’s sprawling military intelligence arm, the GRU.
Officials at Trend Micro, however, refuse to implicate the Kremlin directly: "All we can say is that the activities of this group are systematically aligned with the interests of the Russian authorities,” said Guézo.
Referring to the April 23 first round of the French presidential election, Guézo noted that, "among the four favorites in the first round, Emmanuel Macron is the one furthest from Russian interests". He added that, as far he knew, Macron's was the only French presidential campaign to have been targeted by Pawn Storm.
Mahjoubi has reiterated that the attempts to target the Macron campaign so far have not succeeded. In his interviews with French media, Mahjoubi has admitted that traces to attack attempts have been found but that “none of the mailboxes have been hacked".
En Marche! officials do not use email to share confidential information, according to the statement released Wednesday.
Mahjoubi has also refused to accuse a particular group for the attack attempts. "The procedure is very similar to [Pawn Storm], but you cannot rule out a very competent group trying to imitate them," he warned.
But this hedging has not shaken Guézo’s conviction. The Macron campaign, he believes, is not willing to take the gloves off over this issue to avoid ruffling the Kremlin’s feathers if Macron is elected president next month.