#MacronLeaks metadata suggests Russian threat actors behind Macron’s hack

#MacronLeaks – Experts discovered evidence suggesting Russian threat actors behind the hack of French presidential candidate Macron.

Who are the hackers that attempted to subvert the final vote of French Presidential Election by targeting the Macron’s campaign?

Hackers leaked a 9GB batch of internal documents through the Magnet file-sharing service. The Macron data leakage has happened while candidates are banned from publicly discussing the campaign, clearly such kind of events can subvert the final result of the election.

Security experts and media blamed Russia for the attack, but the without referencing solid clues.

According to a report published by Trend Micro in April, the notorious APT 28 group spied on numerous high-profile targets, including the Macron’s campaign.

Now it seems that analysts have discovered evidence that suggests the involvement of Russia-linked threat actors.

The files stolen from Macron’s staff systems were initially distributed via links posted on 4Chan and then shared by WikiLeaks.

Forensic experts analyzed file metadata that seems to be linked to a Russian government contract employee, this person is suspected to have falsified some of the dumped documents for obvious reasons.

Wikileaks who was informed of the discovery acknowledged the presence of metadata pointed to a Russian company with ties to the government.

The experts discovered that the name of an employee for the Russian government security contractor Evrika appears 9 times in the metadata of the leaked dump.

Evrika (“Eureka”) ZAO is a Russian ICT firm based in St. Petersburg that is known for its collaboration with the Kremlin. The company also works for the Federal Security Service of the Russian Federation (FSB).

The metadata in some Microsoft Office files included in the dump shows that the last person to have edited the documents is “Roshka Georgiy Petrovich,” an Evrika ZAO employee.

The metadata related to the upload of the Macron files to archive.org also includes an e-mail address (frankmacher1@gmx.de) for the person who made the operation:

The e-mail address frankmacher1@gmx.de is registered with a German free webmail provider that was used in past operation by the APT28 group for phishing campaigns against the US DNC and the German Chancellor Angela Merkel’s political party.

Experts believe that the APT28 edited the documents and spread them via social media as part of a PSYOPs operation, like the one conducted against Clinton’s party during 2016 Presidential Election.

I have reached my colleague Emanuele Gentili (@emgent) Director of Cyber Intelligence of the Italian Security Firm TS-WAY who shared with me this interesting document:

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Macron, APT28)

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.