Here’s the Evidence Linking Russia to the French Election Hack

Moscow is trying to undermine Emmanuel Macron

Here’s the Evidence Linking Russia to the French Election Hack Here’s the Evidence Linking Russia to the French Election Hack
As France braces for the second round of its national election, security researchers try to figure out if Russia was really behind the alleged... Here’s the Evidence Linking Russia to the French Election Hack

As France braces for the second round of its national election, security researchers try to figure out if Russia was really behind the alleged hacking attempts against frontrunner Emmanuel Macron.

After months of speculation on whether dreaded Russian hackers would try to meddle with the French elections the same way they did last year in America, cybersecurity researchers finally pointed the finger earlier this week.

In the last two months, according to the cybersecurity firm Trend Micro, the Russian hacking group known as “Fancy Bear” or APT28 registered at least four different fake domains in an apparent attempt to launch a phishing campaign against Macron, the moderate and pro-European candidate who won the election’s first round on Sunday.

The company, however, only published one of those domains, and didn’t reveal why it was so confident that Fancy Bear was behind the alleged phishing campaign.

Now, other researchers are finding new clues that appear to point to Fancy Bear.

Investigating the information associated with onedrive-en-marche[.]fr, the only domain publicly identified by Trend Micro in its report, a researcher pinpointed three other domains connected to it, and apparently controlled by the same hackers. The three domains are portal-office[.]fr, accounts-office[.]fr, and mail-en-marche[.]fr.

It would make sense to use fake domains that mimic the real domain—en-marche.fr— and the name of his party En Marche to target Macron staffers.

All of the four fake domains were registered by someone using the same email address, johnpinch@mail.com. Whoever controls that account did not respond to a request for comment.

Associated Press reporter Raphael Satter also found this link. And a Trend Micro spokesperson confirmed that these are indeed the four domains they identified.

A graph created with the software Maltego, using WHOIS data from the four phishing domains allegedly used by Fancy Bear against Macron.

At this point it’s unclear how successful the hackers were in their alleged phishing campaigns against Macron.

Macron’s party said in an emailed statement that it has been targeted by “at least five advanced operations of ‘phishing’ which targets rather largely and specifically the members of the campaign team,” but all these were “blocked.”

Macron’s digital chief, Mounir Mahjoubi, told the Associated Press that the attempts were “serious, but nothing was compromised.” En Marche did not respond to an email asking for more details about the phishing attempts.

ThreatConnect, another security firm, delved into the little data that’s public and found that there are indeed some links to Fancy Bear. In particular, the company pointed to the use of a @mail.com address to register the domains, an IP address (194.187.249[.]135) that was identified by the U.S. Department of Homeland Security as being used by Russian hackers and other associated I.P. addresses registered with the hosting service THCservers, which has been previously used by Fancy Bear.

The company also identified a fifth domain (en-marche[.]co) allegedly linked to the other four phishing domains.

All these tactics, according to ThreatConnect, are consistent with past tactics employed by Fancy Bear. But without more information on the actual phishing messages used against Macron, “we cannot definitively confirm that Fancy Bear is behind this,” said Kyle Ehmke, senior intelligence researcher at ThreatConnect.

Fancy Bear or no Fancy Bear, however, it’s clear someone was trying to hack Macron. If some of his emails, or those of his staffers, mysteriously appear online before the second round of the elections on May 6 and 7, 2017, we’ll get a better idea of who tried to hack him.

This story originally appeared at Vice Motherboard.

  • 100% ad free experience
  • Get our best stories sent to your inbox every day
  • Membership to private Facebook group
Show your support for continued hard hitting content.
Only $19.99 per year and for a limited time, new subscribers receive a FREE War Is Boring T-Shirt!
Become a War is Boring subscriber