Evidence suggests Russia behind hack of French president-elect
Evidence suggests Russia behind hack of French president-elect
Russian security firms' metadata found in files, according to WikiLeaks and others.
SEAN GALLAGHER - 5/8/2017, 2:18 PM
Enlarge / A last-minute information operation against French presidential candidate Emmanuel Macron did not stop him from winning Sunday's run-off election. But it did have the fingerprints of Russia all over it.
Getty Images/ Chesnot
131
Late on May 5 as the two final candidates for the French presidency were about to enter a press blackout in advance of the May 7 election, nine gigabytes of data allegedly from the campaign of Emmanuel Macron were posted on the Internet in torrents and archives. The files, which were initially distributed via links posted on ***** and then by WikiLeaks, had forensic metadata suggesting that Russians were behind the breach—and that a Russian government contract employee may have falsified some of the dumped documents.
Even WikiLeaks, which initially publicized the breach and defended its integrity on the organization's Twitter account, has since acknowledged that some of the metadata pointed directly to a Russian company with ties to the government:
View image on Twitter
Follow
WikiLeaks
✔@wikileaks
#MacronLeaks: name of employee for Russian govt security contractor Evrika appears 9 times in metadata for "xls_cendric.rar" leak archive
5:44 PM - 6 May 2017
Evrika ("Eureka") ZAO is a large information technology company in St. Petersburg that does some work for the Russian government, and the group includes the Federal Security Service of the Russian Federation (FSB) among its acknowledged customers (as noted in
this job listing). The company is a systems integrator, and it builds its own computer equipment and provides "integrated information security systems." The metadata in some Microsoft Office files shows the last person to have edited the files to be "Roshka Georgiy Petrovich," a current or former Evrika ZAO employee.
Enlarge
Matt Suiche
According to a
Trend Micro report on April 25, the Macron campaign was targeted by the Pawn Storm threat group (also known as "Fancy Bear" or APT28) in a March 15 "phishing" campaign using the domain
onedrive-en-marche.fr. The domain was registered by a "Johny Pinch" using a Mail.com webmail address. The same threat group's infrastructure and malware was found to be used in the breach of the Democratic National Committee in 2016, in the phishing attack targeting members of the presidential campaign of former Secretary of State Hillary Clinton, and in a number of other campaigns against political targets in the US and Germany over the past year.
The metadata attached to the upload of the Macron files also includes some identifying data with an e-mail address for the person uploading the content to archive.org:
5 May
Pwn All The Things @pwnallthethings
What kind of monster does their mandatory training on time without being reminded? You want a guy who employs folks like that as President?
Follow
Pwn All The Things @pwnallthethings
Well this is fun
pic.twitter.com/oXsH83snCS
9:41 PM - 5 May 2017
The e-mail address of the uploader,
frankmacher1@gmx.de, is registered with a German free webmail provider used previously in 2016 Pawn Storm / APT28
phishing attacks against the Christian Democratic Union, German Chancellor Angela Merkel's political party.
The involvement of APT28, the editing of some documents leaked by someone using a Russian version of Microsoft Office, and the attempt to spread the data through amplification in social media channels such as *****, Twitter, and Facebook—where a number of new accounts posted links to the data—are all characteristics of the information operations seen during the 2016 US presidential campaign.
Ars will continue to update this story as new details become available.