ThreatConnect, a provider of threat intelligence, has today released new research into the hack on Emmanuel Macron’s En Marche! party, uncovering new ties to infrastructure and domains used by Russian-backed hacker group FANCY BEAR (aka Pawn Storm).
There are consistencies in the reported activity against Macron and Fancy Bear’s previously identified registration and hosting tactics, including:
· The use of a mail.com email address to register domains.
· Use of dedicated infrastructure.
· The victimology and motivation – targeting the presidential candidate Russia would like to lose – is consistent with Russia’s cyber activity during the 2016 US election.
>See also: Inside the mind of a state-sponsored hacker
In the wake of a Trend Micro report identifying Fancy Bear phishing efforts against French presidential candidate Emmanuel Macron, ThreatConnect identified additional indicators and notable intelligence associated with reported activity.
The identified activity has several consistencies with previously identified Fancy Bear tactics; however, the threat intelligence provider lacked information on the phishing messages, other attack vectors, credential harvesting pages and any malware used in this campaign that would give them greater confidence in attributing these to Fancy Bear or another adversary. Likewise, it bears mentioning that given the degree of attention paid to these attack patterns, it is possible another adversary is using the same techniques.
If Fancy Bear is sniffing around Macron’s campaign, ThreatConnect would expect them to try additional avenues to gain access even if operations leveraging the spoofed domains identified in this report were unsuccessful.
>See also: Nation State hacking: a long history?
These avenues could include other political organisations associated with the campaign, or third party or contracted organisations that enable its daily operations. Fancy Bear leveraged a similar tactic in targeting the Democratic National Committee (via their IT contractors) and Democratic Congressional Campaign Committee (via their donation website) in their active measures efforts against the US Democratic Party.
A growing trend: the significance of the French election
Following Russia’s active measures campaign against the 2016 US election that compromised and leaked information from the Democratic Party, many, including ThreatConnect and the US Intelligence Community assessed such efforts would likely continue. Even though the ultimate impact of Russia’s activity on the election results is up for debate, the outcome was consistent with Russia’s goals and the consequences would not disincentivise future campaigns. The next juicy target? The French election, now proceeding to a runoff between centrist candidate Emmanuel Macron and right-wing populist Marine Le Pen.
Similar to Donald Trump during the 2016 campaign, French Presidential candidate Le Pen has publicly espoused a positive view of Russian activities (such as the annexation of Crimea) and Russian President Vladimir Putin.
>See also: Yahoo data leak: the biggest on record
Additionally, Le Pen’s more nationalistic approach to foreign policy and antagonistic views towards the EU suit Russian objectives of weakening the cohesion of multi-national organisations like the EU that have sought to discourage Russian aggression by imposing sanctions, and instead deal with each country individually. Conversely, Macron has been critical of Russian activities and has campaigned to support existing EU policies.
As a result, ThreatConnect expects any Russian active measures campaigns to target Macron’s campaign while conversely supporting Le Pen’s. Indeed, Macron’s aides blame Russia for hacking attempts targeting his campaign and disinformation conducted via Kremlin-backed media outlets.
And so it begins…