After embarrassing the US Democratic Party with a brazen hack last year, followed by even more brazen leaks over the summer, a group of Russian government hackers has taken aim at the next big Western election: the one in France. Over the last two months, the group known as Fancy Bear or APT28 has targeted the campaign of Emmanuel Macron, the 39-year-old frontrunner to become France's new president.
For weeks, Macron has been crying wolf, accusing Russia of trying to hack into his campaign's computer systems. But there was no public evidence of any attack—until now.
Cybersecurity firm Trend Micro has found evidence that Fancy Bear created at least four different domains with addresses very similar to the official name of his party, En Marche, and of his official website, en-marche.fr. The hackers presumably created them to launch phishing campaigns similar to those who tricked John Podesta and Colin Powell into giving away their password, opening up their inbox to the hackers, and, later, to the world.
Fancy Bear has a long and successful history of using phishing to go after high-value targets, and their modus operandi is to use email domains that can trick the would-be victim into thinking the phishing email is legitimate. In the case of Macron, one of the fake domains the hackers used was onedrive-en-marche[.]fr. The Macron campaign, according to online records, uses Microsoft Outlook for their emails, so it'd make sense to make a domain with the name of another Microsoft cloud product.
Trend Micro spotted the phishing attempts by monitoring the creation of new domains with similar names to the original, legitimate Macron campaign address.
"That is very suspicious," Feike Hacquebord, a researcher at Trend Micro who's been tracking Fancy Bear since 2014, told Motherboard in a phone call. "That immediately sets a red flag."
The Macron campaign, as well as the French government, did not respond to an email asking for comment.
"They don't really care, because they get what they want."
Hacquebord noted that there's no way for him to know whether the campaign was successful—all he had visibility into was the creation of the domain. But Frederick Douzet, a professor of Geopolitics at Université Paris 8, said that she has heard both Facebook and France's Network and Information Security Agency (ANSSI) acknowledge that there have been successful attacks similar to the ones that took place during the US elections.
"There's a clear sign of activity," Douzet told Motherboard in a call.
Macron's political ideology has made him a target for Russia. The former economist, who just recently got into politics, is pro-European Union and pro-Euro. While Marine Le Pen, the other candidate who came in second on Sunday and will square off with him in the second round in two weeks, is more pro-Russian and has threatened to pull France out of the EU if she wins.
Regardless of the success of Fancy Bear's new phishing campaign, one thing is clear. Despite being publicly called out by the US government, the hackers are not slowing down.
"They don't really care," Hacquebord said, "because they get what they want."
A previous version of this story said that ANSSI and Facebook had told Douzet there had been attacks by Fancy Bear. But Douzet only meant ANSSI and Facebook had seen attacks similar to those Fancy bear did during the US elections.
Subscribe to Science Solved It, Motherboard's new show about the greatest mysteries that were solved by science.