En Garde!

Fighting Back Against Putin’s Hackers

Emmanuel Macron isn’t just fighting a neo-fascist in his race for the French presidency. He’s battling some of Vladimir Putin’s most savvy hackers, too.

Benoit Tessier/Reuters

PARIS—Looking back on the presidential campaign of Hillary Clinton last year, one sees an appalling passivity and helplessness as online attackers stole her campaign secrets and now-President Donald Trump exploited that information without shame or discretion.

But, having learned many lessons from the Clinton debacle, the digital team working for French presidential candidate Emmanuel Macron not only took precautions, it decided to fight back.

Next to the U.S. presidential elections, none in the world have had such high stakes riding on them: the future of the European Union, NATO, global commerce—the list is long. And Macron’s team realized early on, as they watched the Democratic Party’s implosion in America, that they too might be the targets of a group of hackers known by many sobriquets, including Pawn Storm, Apt28, STRONTIUM, and rather more colorfully, Fancy Bear.

The group’s hacking operation is most clearly identifiable by its techniques and targets. It’s made up of cyber-criminals with political agendas that fit so closely the priorities of Russian President Vladimir Putin that they are widely believed to be working on his behalf or under his direct orders. (Indeed, the American intelligence community appears to have little doubt on that score anymore.)

And, sure enough, when Macron’s upstart centrist political movement began to gain real momentum toward the end of last year, the “spear phishing” attacks against it started.

The 39-year-old candidate, formerly an investment banker with Rothschild and then the economy minister under President François Hollande, was drawing support from both the left and the right for his independent movement, En Marche! (Onward!), and he had started to look like a real contender.

It is important to note that all the other leading candidates in the race—but especially far-right anti-immigrant, anti-European Union, anti-NATO, anti-American, pro-Trump candidate Marine Le Pen—were unabashedly pro-Putin.

Then polls started to show that Macron might upset Le Pen’s well-laid plans to restore what she likes to call French “sovereignty,” albeit with Russian funding and Russia’s endorsement, including a high-profile meeting in Moscow with Putin himself. (Oh, and Trump chimed in, too, on her behalf …)

Putin could be forgiven for thinking that with such useful allies, pawns, or what-have-you as this, he need never contemplate an invasion of Europe through the Fulda Gap, like in some old Tom Clancy novel about World War III. Today a demoralized and dysfunctional Europe might just come to him.

All he needed in France was a dose of what he’s alleged to have done in the United States: introduce a bit of infowar to create doubts about the viability of the system—maybe with the help of a few Fancy Bear hackers—and usher the most unviable candidate into office.

So, whether it was a matter of coincidence or conspiracy, take your pick, aggressive attacks on the Macron campaign began in earnest.

Mounir Mahjoubi, head of Macron’s digital team, traces the hostile activity back to December. And as the first round of the presidential contest reached its climax just last Sunday, with Macron and Le Pen emerging as the finalists, concerns about Russian attempts to manipulate the results grew so intense that Macron’s campaign finally refused to give the Russian state-funded news media, RT and Sputnik, accreditation to cover the home stretch.

Get The Beast In Your Inbox!

Daily Digest

Start and finish your day with the top stories from The Daily Beast.

Cheat Sheet

A speedy, smart summary of all the news you need to know (and nothing you don't).

By clicking “Subscribe,” you agree to have read the Terms of Use and Privacy Policy
Thank You!
You are now subscribed to the Daily Digest and Cheat Sheet. We will not share your email with anyone for any reason.

“RT France and Sputnik have been since the very beginning of our campaign the first source of fake news about our candidate and campaign,” Mahjoubi told me Tuesday afternoon. As The Daily Beast reported on Monday, another staffer called RT, flatly, “a propaganda organ.”

But that is not the only way the Macron campaign is pushing back against the hacking onslaught.

“We also do counteroffensive against them,” says Mahjoubi.

To understand how that might work, one needs to know that the basic techniques used by Pawn Storm to gather intelligence and their alter egos in Fancy Bear to disseminate it are relatively simple, at least in the first skirmishes of a cyber battle.

“They only have to be as sophisticated as they need to be,” says Ed Cabrera, the chief cyber security officer of Trend Micro, a global firm based in Japan which has just published a report on Pawn Storm’s activities, including some data related to the Macron campaign.

Most email users are accustomed to clumsy phishing: those mysterious Nigerians who want to help you collect millions of dollars from some long-lost uncle if you’ll just pass on your bank details. That sort of thing.

This is much, much more polished. And it’s not about money. It’s about intelligence gathering for the exercise of political—indeed geopolitical—power.

Their “well-crafted phishing campaigns,” as Cabrera puts it, are meant first to work their way into an email system by tricking people into revealing their IDs and passwords. Then the hackers exploit that knowledge not only to collect private emails in secret, but to mine them for intelligence, using them to focus new and more targeted attacks on specific individuals to gather still more private data, and in some cases—this is the “Fancy Bear” specialty in the Pawn Storm shop—to reveal those secrets to the public through various channels (like WikiLeaks) in order to affect political outcomes.

“As soon as they identify a group and as soon as they identify the individuals they want to compromise they come at them from many different angles,” Cabrera told me over the phone.

The new Trend Micro report makes the case that Pawn Storm/Fancy Bear’s targets over the last several years coincide very closely with Russian concerns. “Foreign espionage and influence on geopolitics are the group’s main motives, and not financial gain,” the report says. “Its main targets are armed forces, the defense industry, news media, politicians, and dissidents.”

The Trend Micro chronology shows that if you present an obstacle to Putin’s ambitions, whether standing up to pro-Russian insurgents in Ukraine or disqualifying drug-drenched Russian athletes from sports competitions or running against Putin’s chosen paladins in Western politics, Pawn Storm will target you, and Fancy Bear will peddle the information that’s uncovered.

Yet, as Cabrera and Mahjoubi acknowledge, without the kinds of resources the U.S. intelligence community has brought to bear, and the results it has yet to reveal in any detail, it is hard to make that final definitive connection between the Pawn Storm gang and Putin.

That’s inferred from the pattern, says Cabrera, “the victimology—when they are attacking, how they are attacking, and who they are attacking.”

One is reminded of John Le Carré’s master spy George Smiley searching the shadows for his Soviet-backed nemesis Karla, presuming his presence based on otherwise hard to explain events.

“Espionage is nothing new, and cyber espionage is really not that new,” says Cabrera. “It’s the same type of tradecraft but in bits and bytes.”

But again, how do you defend yourself in this shadowland if, like Macron and his campaign, you know you are targeted? What is that “counteroffensive” Mahjoubi was talking about?

The phishing attacks targeting the Macron campaign exploited the fact that its email system was based on Microsoft’s OneDrive, which has a unique portal for many different operations, not only emails. Pawn Storm would send official looking emails encouraging the recipients to sign in by clicking on a link that appeared to be exactly the same as usual—except the dots in the address had been replace by hyphens. “If you speed read the URL, you can’t make the distinction,” said Mahjoubi. And when the fake sign-in page came up it was “pixel perfect.”

The Trend Micro report publishes one of the fake URLs, but Mahjoubi said there were about 10 related to Pawn Storm/Fancy Bear discovered since December. And many more that may come from other hostile attackers.

Some hackers have used a more sophisticated technique called tabnabbing. The Trend Micro report says it is part of the Pawn Storm arsenal, and Mahjoubi says the Macron campaign has been hit by it, but he can’t verify the source.

“In this attack scenario,” says the Trend Micro Report, “the target gets an email supposedly coming from a website he might be interested in—maybe from a conference he is likely to visit or a news site he has subscribed to. The email has a link to a URL that looks very legitimate. When the target reads his email and clicks on the link, it will open in a new tab. This new tab will show the legitimate website of a conference or news providers after being redirected from a site under the attackers’ control. The target is likely to spend some time browsing this legitimate site. Distracted, he probably did not notice that just before the redirection a simple script was run, changing the original webmail tab to a phishing site. When the target has finished reading the news article or conference information on the legitimate site, he returns to the tab of his webmail. He is informed that his session has expired and the site needs his credentials again. He is then likely to reenter his password and give his credentials away to the attackers.”

“We believe that they didn’t break through. We are sure of it,” said Mahjoubi. “But the only way to be ready is to train the people. Because what happened during the Hillary Clinton campaign is that one man, the most powerful, [campaign chairman] John Podesta, logged on to his [fake] page.”

To keep the entire Macron campaign aware of such dangers, Mahjoubi said, “Every week we send to the team screen captures of all the phishing addresses we have found during the week.” But that’s just the first phase of the response. Then the Macron team starts filling in the forms on the fake sites: “You can flood these addresses with multiple passwords and log-ins, true ones, false ones, so the people behind them use up a lot of time trying to figure them out.”

Mahjoubi, a Parisian who is 33 and got his first job as a technician with one of France’s first internet service providers when he was 16, seems to enjoy the challenge. The core purpose of all these attacks “is to unfocus us,” he says. “My role in this campaign is to make sure our message goes through.” And he’s determined that no Fancy Bear will stop that from happening.