#MacronLeaks metadata suggests Russian threat actors behind Macron’s hack

#MacronLeaks – Experts discovered evidence suggesting Russian threat actors behind the hack of French presidential candidate Macron.

Who are the hackers that attempted to subvert the final vote of French Presidential Election by targeting the Macron’s campaign?

Hackers leaked a 9GB batch of internal documents through the Magnet file-sharing service. The Macron data leakage has happened while candidates are banned from publicly discussing the campaign, clearly such kind of events can subvert the final result of the election.

Security experts and media blamed Russia for the attack, but the without referencing solid clues.

According to a report published by Trend Micro in April, the notorious APT 28 group spied on numerous high-profile targets, including the Macron’s campaign.

Now it seems that analysts have discovered evidence that suggests the involvement of Russia-linked threat actors.

The files stolen from Macron’s staff systems were initially distributed via links posted on 4Chan and then shared by WikiLeaks.

Forensic experts analyzed file metadata that seems to be linked to a Russian government contract employee, this person is suspected to have falsified some of the dumped documents for obvious reasons.

Wikileaks who was informed of the discovery acknowledged the presence of metadata pointed to a Russian company with ties to the government.

The experts discovered that the name of an employee for the Russian government security contractor Evrika appears 9 times in the metadata of the leaked dump.

The metadata related to the upload of the Macron files to archive.org also includes an e-mail address (frankmacher1@gmx.de) for the person who made the operation:

The e-mail address  frankmacher1@gmx.de is registered with a German free webmail provider that was used in past operation by the APT28 group for phishing campaigns against the US DNC and the German Chancellor Angela Merkel’s political party.

Experts believe that the APT28 edited the documents and spread them via social media as part of a PSYOPs operation, like the one conducted against Clinton’s party during 2016 Presidential Election.

I have reached my colleague Emanuele Gentili (@emgent) Director of Cyber Intelligence of the Italian Security Firm TS-WAY who shared with me this interesting document:

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Macron, APT28)

[adrotate banner=”13″]