Who are the hackers that attempted to subvert the final vote of French Presidential Election by targeting the Macron’s campaign?
Hackers leaked a 9GB batch of internal documents through the Magnet file-sharing service. The Macron data leakage has happened while candidates are banned from publicly discussing the campaign, clearly such kind of events can subvert the final result of the election.
Security experts and media blamed Russia for the attack, but the without referencing solid clues.
According to a report published by Trend Micro in April, the notorious APT 28 group spied on numerous high-profile targets, including the Macron’s campaign.
Now it seems that analysts have discovered evidence that suggests the involvement of Russia-linked threat actors.
The files stolen from Macron’s staff systems were initially distributed via links posted on 4Chan and then shared by WikiLeaks.
Forensic experts analyzed file metadata that seems to be linked to a Russian government contract employee, this person is suspected to have falsified some of the dumped documents for obvious reasons.
Wikileaks who was informed of the discovery acknowledged the presence of metadata pointed to a Russian company with ties to the government.
The experts discovered that the name of an employee for the Russian government security contractor Evrika appears 9 times in the metadata of the leaked dump.
#MacronLeaks: name of employee for Russian govt security contractor Evrika appears 9 times in metadata for "xls_cendric.rar" leak archive pic.twitter.com/jyhlmldlbL
— WikiLeaks (@wikileaks) May 6, 2017
Dropping files after appending metadata to Microsoft Offices files such as "Автор" or "Область_печати" Why? #attribution H/T @voulnet pic.twitter.com/h2KBLimjZn
— Matt Suiche (@msuiche) May 6, 2017
The metadata related to the upload of the Macron files to archive.org also includes an e-mail address ([email protected]) for the person who made the operation:
Well this is fun pic.twitter.com/oXsH83snCS
— Pwn All The Things (@pwnallthethings) May 6, 2017
The e-mail address [email protected] is registered with a German free webmail provider that was used in past operation by the APT28 group for phishing campaigns against the US DNC and the German Chancellor Angela Merkel’s political party.
Experts believe that the APT28 edited the documents and spread them via social media as part of a PSYOPs operation, like the one conducted against Clinton’s party during 2016 Presidential Election.
I have reached my colleague Emanuele Gentili (@emgent) Director of Cyber Intelligence of the Italian Security Firm TS-WAY who shared with me this interesting document:
(Security Affairs – Macron, APT28)