French Election Cyber Attacks and Countermeasures
Shortly before last weekend’s final vote of the 2017 French election, the campaign of Emmanuel Macron became the victim of a large (9GB) archive of emails and personal documents being leaked to 4chan. In this briefing we will take a look at the suspected attackers as well as at the Macron team’s counter hacking strategies and what other organizations can learn from them.
The Macron team has reported being under attack since the middle of March.
A report on the alleged Russian hacking group “Fancy Bear” - most notable for allegedly hacking into the Clinton campaign during the 2016 US election - released by Trend Micro indicates that at least a part of the attacks may have been performed by the group.
As always, this is a case of circumstantial proof based on the re-use of certain servers, networks and attack techniques. As we have previously pointed out, this level of proof is very useful for information security professionals aiming to increase overall system security but highly unlikely be usable in a court of law or geopolitical matters.
Since a national election involves many interested parties, it is likely that more than one group simultaneously carried out attacks.
Data stolen from the campaign was then leaked to the anonymous image board 4chan. This is in contrast to leaks through WikiLeaks in the Clinton campaign’s case.
The Macron campaign - perhaps alerted by the impact of the Clinton leaks - took active counter measures during the attacks. Apart from attempting to train their staff to recognize phishing scams, they also created a large number of face accounts holding fake data and then purposefully had these accounts “fall” for the scam. This effort was meant to increase the time required to analyze the stolen files as well as to sow doubt regarding the authenticity of the leak.
This is taking a page from the attacker’s playbook. One of the strong suits of cyber attacks is the anonymous nature of the internet making it extremely hard to prove an attacker’s identity. It also allows politically motivated attackers to mix fake incriminating data in with a legitimate dump to further damage a target’s reputation.
Of course this tactic only works as long as the authenticity of the overall leak is seen as credible.
The Macron campaign’s approach of purposefully creating fake documents to undermine said credibility is not novel as such. False documents have been used for centuries to delay and identify spies. Likewise, the use of false servers or users in IT systems is a well explored concept.
The use by a political party organization to throw off state actors looking to damage their reputation through cyber attacks is new however.
Wether or not it is a viable strategy and what impact the leaks would have had on the Macron campaign had countermeasures not been taken remains to be seen.
The overall approach of proactive defense sets a good example however. Wether it is by employing advanced techniques or through solid audits and staff training, IT security has to become an active factor in organizational planning to mitigate risk in a time where breachers are increasing in both frequency and sophistication.