Go phish: Fancy Bear develops taste for Macron in French election

News by Max Metzger

French presidential candidate Emmanuel Macron has been targeted with a phishing attack and the pawprints look very familiar....

French presidential candidate Emmanuel Macron is being targeted by a Russian APT.

Feike Hacquebord, a Trend Micro researcher, told Reuters that he found evidence that Fancy Bear attempted to phish the Macron campaign and install malware on its website. The attacks have been confirmed by the French government.

Using four fake email accounts and computers in France, the UK and elsewhere, the group launched attacks against Macron's “En Marche!” campaign in March and April. Experts told Reuters that the group often leaves time between its activities so the second round of elections in May may not be immediately in jeopardy.

Macron's campaign was apparently attacked in February, with reported thousands of attacks coming from within Russia.

A Kremlin spokesperson, Dmitry Peskov, balked at the accusations of Russian involvement. He told press on 25 April: "What groups? From where? Why Russia? This slightly reminds me of accusations from Washington, which have been left hanging in mid-air until now."

The campaign has supposedly put measures in place to block emails from malicious domains.

The move was applauded by Ravi Khatod, CEO of Agari, who told SC Media UK: “We implore all political parties to ensure they likewise make email security a priority, particularly those with high stakes elections coming up such as Germany and now the UK. At a minimum, there is no excuse not to implement the DMARC (Domain-based Message Authentication, Reporting & Conformance) email authentication policy to help identify and block malicious emails impersonating trusted domains.”

Phishing remains one of the most common attack vectors and spear-phishing can skewer even the best protected targets.

Steven Malone, director of security product management at email security firm Mimecast, told SC: “Word-perfect phishing attacks are now increasingly commonplace, impersonating domain names and individuals with personalised precision.”

Fancy Bear, also known as Pawn Storm or APT28, is widely believed to have been behind the US ‘election hacking' of 2016, in which thousands of internal Democratic Party documents were leaked, causing major embarrassment to the party and its candidate for president Hillary Clinton. The link between Macron's attackers and the group came partly from this link, Hacquebord told Reuters: “The fingerprints were really the same actors as in the DNC breach."

While the actual effect of the hack on the electoral outcome which delivered Clinton's rival, Donald Trump, the presidency is not known, US intelligence bodies are certain of one thing: a Kremlin-backed hacker group exploited the Democratic Party and, by extension, American democracy to embarrass Clinton and aid Trump.

The group is believed by Crowdstrike to be a proxy of the GRU, Russian military intelligence. Crowdstrike is the company which first identified the source of the breach on the Democratic party.

Attribution is notoriously difficult and though links can be found between attacks and groups, links between groups and a country are far more elusive.

Such a brazen attack does not seem out of character for Fancy Bear, who have developed a taste for political targets and whose paw prints can be found a great variety of major breaches on high-profile targets.

Fancy Bear have been linked to attacks on the White House, NATO, French television station TV5Monde, the World Anti-Doping Agency and the subsequent leak of western athletes medical records and, most recently, attacks against Dutch ministries ahead of the March 2017 Dutch elections.

The French election, which after its first round of voting has pitted centrist Macron against the far right National Front party's candidate Marine Le Pen, might seem a predictable target. Russian president Vladimir Putin is an avowed fan of Le Pen, a feeling which has been publically reciprocated a number of times. Le Pen's campaign has even accepted money from Russian banks, which are viewed with great suspicion by the candidate's critics.

European officials have been wringing their hands, ahead of several upcoming elections in 2017. The head of Germany's Federal Office for the Protection of the Constitution, Hans-Georg Maassen voiced just such concerns in a statement in late 2016. He said that, "propaganda and disinformation, cyber-attacks, cyber-spying and Cyber-sabotage (are) part of the hybrid threat to Western democracies”, as he warned of foreign attempts to pervert the September 2017 elections.

The UK Parliament's Commons Public Administration committee recently called for a monitoring unit to be established to help ensure the integrity of UK democracy.

The committee's chair, Bernard Jenkin MP, told UK newspaper The Independent: “We recommend the Government set up a monitoring unit, to ensure the kind of interference that has been claimed more widely in other countries, is not going to happen in our country. That's important for public confidence in our democratic process.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews