A hacking group linked by cybersecurity experts to Russia’s military intelligence apparatus has begun taking aim at France’s centrist presidential candidate, Emmanuel Macron, the cybersecurity firm Trend Micro said in a report published on Tuesday.
On March 15, the group — known as Fancy Bear, Pawn Storm, Sednit, APT28, Sofacy, or STRONTIUM — began registering domain names like “onedrive-en-marche.fr” and “mail-en-marche.fr” in an attempt to trick members of Macron’s campaign team into clicking on links that looked affiliated with his political party, En Marche.
“A huge revelation in this Trend Micro report is that Fancy Bear has significantly upped the sophistication of its cyber attacks,” said Greg Martin, the CEO of cybersecurity firm JASK. “They’re taking advantage of vulnerabilities in cloud-based email services like Gmail to trick people into downloading fake applications, and compromising their inboxes without even having to steal a password.”
Martin said that when targeted by this kind of attack, known as “OAuth phishing,” the victim can’t just change their password to regain access to their account.
“It’s a new style of attack is very deadly and unprecedented,” he said. “It’s the first time we have seen this in the wild.”
A more primitive version of that phishing technique was on full display during the US presidential election. Emails stolen by Fancy Bear from the Democratic National Committee and Hillary Clinton’s campaign chairman, John Podesta, were fed to WikiLeaks and the website DCLeaks, which is run by self-described hacker Guccifer 2.0, who researchers believe was a persona created by Russian military intelligence.
“The cat got out of the bag in terms of the tools used in the DNC cyberattacks, so Fancy Bear upped the ante this time around,” Martin said.
Fancy Bear’s cyberespionage activities date back to the early 2000s, when hackers would implant malware on computers to record users’ keystrokes and monitor the sites they visited. That information would then be sent back to the malware creators in Russia, according to Trend Micro.
As the firm said in its report, however, the hacking team’s days of under-the-radar spying appear to be over. Spanning the past two years, the group has taken on bigger targets than ever before — including US, French, and German political parties and candidates — by deploying phishing attacks, stealing information, and then weaponizing it to manipulate events and public opinion.
Cybersecurity experts caution that it is difficult to definitively trace a cyberattack back to a particular entity.
Igor Volovich, the CEO of ROMAD Cyber Systems, said that the cyber artifacts used to trace hacks back to particular actors are “fungible,” which makes cyberattacks difficult to attribute.
“Using an IP address or a particular code to trace a hack back to a particular actor — those things, on their own, are inconclusive,” Volovich said in an interview. “But if you can correlate multiple sources of data in the attribution [of a hack], that adds a lot more credibility.”
According to Trend Micro, while Pawn Storm “makes good use of webhosting providers in Western countries that offer privacy to their customers,” the group still “has a clear preference for some hosting providers, DNS service providers, and domain registrars.” By monitoring those service providers, the firm said, much of the group’s infrastructure can be spotted and caught early.
And the fact that the hackers have consistently targeted a range of actors that could easily be characterised as Russian adversaries — including NATO, the Organisation for Security and Cooperation in Europe, the US Anti-Doping Agency, the Ukrainian military, and the president of Montenegro — has left researchers with little doubt that the cyberattacks were sponsored by the Kremlin.
In December, the cybersecurity firm CrowdStrike revealed that the malware that Fancy Bear implanted on Android devices to track and target Ukrainian artillery units between 2014-2016 “was a variant of the kind used to hack into the Democratic National Committee,” the firm’s founder, Dmitri Alperovitch told Reuters.
Russia has been fighting a proxy war with the Ukrainian military since 2014, bolstering the likelihood that the Russia’s main foreign military intelligence agency, the GRU, would have attempted to compromise and track Ukrainian artillery units sometime in the past three years.
The cyberattack, Alperovitch said at the time, “cannot be a hands-off group or a bunch of criminals. They need to be in close communication with the Russian military.”
The Russians would have been similarly motivated to compromise the US Anti-Doping Agency — which, along with the World Anti-Doping Agency, investigated Russia’s conspiracy to corrupt its drug-testing system and ultimately banned dozens of Russian athletes from last summer’s Olympics in Rio de Janeiro.
In October, a Russian plot to overthrow Montenegro’s pro-Western president — who has been negotiating the country’s accession into NATO — was foiled at the last minute. State websites have since been targeted by two waves of cyberattacks. The Montenegrin government said the attacks were “planned and synchronised” but stopped short of attributing them to Moscow.
The Russian government’s motivations to target France’s Macron, meanwhile, have parallels to their attacks on the US election last year: a desire to boost the more nationalistic, Russia-friendly underdog (Marine Le Pen in France and President Donald Trump in the US) and undermine the more globalist, hawkish frontrunner (Macron in France and Clinton in the US).
On Sunday, Macron and Le Pen won the first round of the election in a historic upset that saw France’s two traditional parties lose power for the first time in decades. The second round of voting, set to take place on May 7, will be perceived as a de-facto referendum on whether the nationalist fervor sweeping the West has continued into 2017 — a movement that propelled Trump into the White House last year and spurred Britain’s exit from the European Union.
The stakes are high for Russia. Depending on who wins, the French election could set the tone for a broader European shift toward Moscow and away from Washington. As France’s foreign minister, Jean-Marc Ayrault, told the French Journal du Dimanche, “It’s enough to see which candidates, Marine Le Pen or Francois Fillon, Russia expresses preference for in the French electoral campaign.”
“Whereas Emmanuel Macron, who is pro-Europe, is being targeted by cyberattacks,” he added.