Macron's headquarters used hanipotes with fake documents to feed hackers

A day and a half before the presidential election in France, hackers posted online about 9 GB of documents from the mailboxes of the campaign headquarters of one of the French presidential candidates, Emmanuel Macron. As it is known, in the end this leak did not affect the outcome of the elections: Macron won anyway, a supporter of the hated Russia of European integration, by a large margin. He won the vote of French citizens in all countries except one . And in the published files it was not possible to find anything interesting - this is a completely boring selection of ordinary documents, nothing scandalous.

It seems that one of the reasons is that this time everyone was ready for a future attack. “For their part, the Russians were in a hurry and were a bit sloppy,” writes The New York Times . “They left behind a trail of evidence, which is not enough to certainly prove work for the Russian government, but clearly indicating a larger-scale information warfare operation.”

At a hearing in the Senate Armed Forces Committee on Tuesday, May 9, 2017, NSA Director Admiral Michael Rogers testified that his department had detected early signs of an attack - and informed French colleagues, offering them their help. But no one needed the help of the Americans, the French themselves were ready. They saw what was going on.
')
Previously, several information security companies said that hacking activity points to the actions of the famous Russian group APT28 (Fancy Bear), which specializes in cyber espionage. The APT28 group has registered a number of domain names that are similar to the names of the official En Marche servers! (Macron political party). Among them are onedrive-en-marche.fr and mail-en-marche.fr. These domains could be used to target mailings for phishing and install malware on computers, from which credentials could be removed for hacking mail servers En Marche!

Employees En Marche! Began to receive phishing emails since December 2016. They were “high quality,” says Munir Mahjoubi, technology director for the campaign headquarters, and included the real names of the employees they were addressed to.

But the headquarters began to prepare for the attack even earlier. Understanding the high professional level of Russian hackers, it was possible to allow successful hacking of someone from the staff, and after him along the chain - all the rest. They understood that they could be hacked, and nothing could be done about it. The history of the US Democratic National Committee has become an instructive example. Of course, there was a minimum level of security, no one expected to be hacked, and American Democrats for months ignored FBI warnings about hacker activity, but even enhanced security measures are unlikely to help avoid information leakage. Computer scientists from En Marche headquarters! (The digital team consisted of 18 people, many of whom were engaged in the preparation of videos) decided to use a different tactic: counterattack. “We could not guarantee 100% protection, and therefore we asked ourselves: what can be done?” Says Mahjoubi. As a result, it was decided to apply the classic strategy with traps (hanipots), which are actively used by many banks and corporations to protect against leaks of confidential information.

The bottom line is to create a series of fake fake mailboxes that are stuffed with fake (and real) documents. In the headquarters of En Marche! such mailboxes were created in large numbers, and they were specially filled, including with such documents, which exactly should have interested the Russian side. Thus, the attackers had to verify the authenticity of each mailbox to which they accessed. “I don't think we stopped them. We just slowed them down, Mahjoubi suggests. “Even if they lost at least one minute, we will be happy.”

It seems that hackers really had to hurry. In one of the files from the dump, the metadata did not even have time to overwrite with the name of the user on whose computer the Excel table was last opened. This is a specialist of Evrika CJSC , which is engaged in the "development of integrated information protection systems" and the training of specialists in the field of information technology. Among the regular customers are the Ministry of Foreign Affairs of the Russian Federation, the State Drug Control of the Russian Federation, the Audit Chamber of the Russian Federation and many others. CJSC Evrika has licenses to carry out activities to protect state secrets. A failure with metadata is already a serious fail. The specified employee on the nature of the service you need to have licensed software.

In a hurry, crackers pierced and with a fake of dirt. For example, one of the documents indicates the purchase by an employee of the election headquarters of the drug mephedrone for bitcoins, but the specified address is not in the public transaction chain.

At the same time, the French recognized that the Friday dump contained real files of the campaign headquarters. Despite the leakage of these files, now the attack did not produce such a result as in the USA and did not lead to a downgrade of the victim’s rating. It seems that the same tricks with repeated use are not as effective. Next time you need to come up with something new. Maybe installing RAT on smartphones and PCs, recording sound and video of a private nature.

Experts believe that this failure could cause APT28 to completely change the methods of conducting attacks, and the next time they will surprise everyone: “They can completely change their tactics,” said John Hultquist, director of cyber intelligence division of FireEye.