Russia-Linked Hackers Targeted Macron Campaign, Cyber-Researchers Say
RFE/RL April 25, 2017
French presidential front-runner Emmanuel Macron's campaign has been targeted in cyberattacks bearing the hallmarks of an aggressive hacking outfit that intelligence officials say is a branch of Russia's espionage apparatus, an Internet security firm says.
Discussing a report issued on April 25, researchers at Trend Micro said they think a hacking group called Pawn Storm used "phishing" techniques to try to steal personal data from Macron and members of his campaign.
The revelations are likely to deepen concerns that Moscow is seeking to sway elections in Europe after what U.S. intelligence officials say was an influence campaign ordered by Russian President Vladimir Putin to interfere in the U.S. presidential vote in 2016.
They come as Macron, a pro-European Union politician and critic of Putin's government, heads into a May 7 runoff against far-right leader Marine Le Pen, an EU foe who has praised Putin and met with him in the Kremlin on March 24.
Tokyo-based Trend Micro said it discovered the attempted intrusions into Macron's campaign by monitoring the creation of rogue, lookalike websites often used by hackers to trick victims into giving up their passwords.
The Macron campaign's digital director, Mounir Mahjoubi, confirmed the attempted cyberattacks but said the hackers had been thwarted.
Several staffers had received e-mails leading to the fake websites, but the phishing e-mails were quickly identified and blocked, and it was unlikely others went undetected, Mahjoubi said.
"We can't be 100 percent sure," Mahjoubi said, "but as soon as we saw the intrusion attempts, we took measures to block access."
"It's serious, but nothing was compromised," he said.
Macron won the most votes in the April 23 first round of the presidential election, which has been closely watched for signs of digital intrusion.
Of the four top candidates, the 39-year-old centrist independent was seen as being the candidate least favored by Putin's government, which analysts say is eager to see election outcomes that would undermine EU unity on sanctions against Moscow.
The EU and the United States have imposed a series of punitive measures on Russia over its seizure of Crimea from Ukraine in 2014 and its support for separatists in a war that has killed more than 9,900 people in eastern Ukraine.
Opinion polls give Macron a substantial edge -- more than 20 percentage points -- over Le Pen in the runoff.
'Pixel Perfect' Fake Sites
Trend Micro researcher Feike Hacquebord said the firm recently found four Macron-themed fake sites being set up on web infrastructure used by Pawn Storm, an extraordinarily prolific group that is also known as Fancy Bear, APT28, and Sofacy.
Trend Micro has stopped short of accusing any country of being behind Pawn Storm's actions, but U.S. spy agencies and intelligence firms say that it is a branch of Russia's intelligence apparatus.
Mahjoubi confirmed that at least one of the sites had recently been used as part of an attempt to harvest campaign staffers' passwords.
"The phishing pages we are talking about are very personalized web pages to look like the real address," Mahjoubi said. "They were pixel perfect."
"It's exactly the same page. That means there was talent behind it and time went into it: talent, money, experience, time and will," he said.
Mahjoubi said the attempts to penetrate the Macron campaign date back to December. In February, the campaign complained publicly of being targeted by Russia-linked electronic spying operations, although it offered no proof at the time.
Revealing the identities of groups behind cyberespionage campaigns is one of the most difficult tasks of cybersecurity, but Hacquebord said he was confident that Pawn Storm was responsible for the hacking attacks.
"This is not a 100 percent confirmation, but it's very, very likely," Hacquebord said, adding that the political nature of the targeting was "really in line with what they've been doing in the last two years."
Mahjoubi told The New York Times that he had no proof of Russian involvement, but that the nature and timing of Internet assaults on the Macron campaign stoked concerns that Russia was repeating in France what U.S. intelligence agencies say was a concerted effort to undermine the 2016 presidential campaign of Hillary Clinton -- who was widely seen as likely to take a tough stance on Russia if elected.
U.S. and European intelligence agencies and American private security researchers say Fancy Bear was responsible for hacking the Democratic National Committee and other political operatives last year. Stolen documents subsequently appeared on WikiLeaks and other websites, creating problems for what turned out to be Clinton's losing campaign against Republican rival Donald Trump, who was elected on November 8.
Attacks On Merkel
Trend Micro said that the same hacker group appeared to have attacked the computer systems of German Chancellor Angela Merkel's Christian Democratic Union, as well as two German political think tanks, in recent weeks. Germany accused Russia last year of directing hacker groups to attack the country's lower house of parliament.
Merkel -- who is staunchly pro-EU, backs the sanctions against Russia, and is seeking to retain power in a general election in September -- said last year that there were signs of Internet attacks and misinformation campaigns from Russia.
Germany's domestic intelligence agency has expressed concern that Russia may try to interfere in the September elections.
Putin, a former KGB officer and ex-head of Russia's domestic intelligence agency, has denied accusations of state-sanctioned hacking or any interference in elections abroad.
His spokesman, Dmitry Peskov, rejected accusations of meddling in the French election.
"It resembles the accusations made by Washington which to this day remain hollow, and they do no honor to the people making them," said Peskov, who claimed that Russia has "never interfered" in foreign elections.
Trend Micro's report was produced independently of the Macron campaign and lists 160 electronic espionage operations across a series of targets.
With reporting by AP, AFP, The Wall Street Journal, The New York Times, and motherboard.vice.com
Copyright (c) 2017. RFE/RL, Inc. Reprinted with the permission of Radio Free Europe/Radio Liberty, 1201 Connecticut Ave., N.W. Washington DC 20036.
|Join the GlobalSecurity.org mailing list|