#MacronLeaks metadata suggests Russian threat actors behind Macron’s hack

Pierluigi Paganini May 09, 2017

#MacronLeaks – Experts discovered evidence suggesting Russian threat actors behind the hack of French presidential candidate Macron.

Who are the hackers that attempted to subvert the final vote of French Presidential Election by targeting the Macron’s campaign?

Hackers leaked a 9GB batch of internal documents through the Magnet file-sharing service. The Macron data leakage has happened while candidates are banned from publicly discussing the campaign, clearly such kind of events can subvert the final result of the election.

Security experts and media blamed Russia for the attack, but the without referencing solid clues.

According to a report published by Trend Micro in April, the notorious APT 28 group spied on numerous high-profile targets, including the Macron’s campaign.


Now it seems that analysts have discovered evidence that suggests the involvement of Russia-linked threat actors.

The files stolen from Macron’s staff systems were initially distributed via links posted on 4Chan and then shared by WikiLeaks.

Forensic experts analyzed file metadata that seems to be linked to a Russian government contract employee, this person is suspected to have falsified some of the dumped documents for obvious reasons.

Wikileaks who was informed of the discovery acknowledged the presence of metadata pointed to a Russian company with ties to the government.

The experts discovered that the name of an employee for the Russian government security contractor Evrika appears 9 times in the metadata of the leaked dump.

Evrika (“Eureka”) ZAO is a Russian ICT firm based in St. Petersburg that is known for its collaboration with the Kremlin. The company also works for the Federal Security Service of the Russian Federation (FSB).
The metadata in some Microsoft Office files included in the dump shows that the last person to have edited the documents is “Roshka Georgiy Petrovich,” an Evrika ZAO employee.
 Macron hacking campaing



The metadata related to the upload of the Macron files to archive.org also includes an e-mail address ([email protected]) for the person who made the operation:



The e-mail address  [email protected] is registered with a German free webmail provider that was used in past operation by the APT28 group for phishing campaigns against the US DNC and the German Chancellor Angela Merkel’s political party.

Experts believe that the APT28 edited the documents and spread them via social media as part of a PSYOPs operation, like the one conducted against Clinton’s party during 2016 Presidential Election.

I have reached my colleague Emanuele Gentili (@emgent) Director of Cyber Intelligence of the Italian Security Firm TS-WAY who shared with me this interesting document:



[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Macron, APT28)

[adrotate banner=”13″]

you might also like

leave a comment