After months of speculation on whether dreaded Russian hackers would try to meddle with the French elections the same way they did last year in America, cybersecurity researchers finally pointed the finger earlier this week.
In the last two months, according to the cybersecurity firm Trend Micro, the Russian hacking group known as "Fancy Bear" or APT28 registered at least four different fake domains in an apparent attempt to launch a phishing campaign against Emmanuel Macron, the moderate and pro-European candidate who won the election's first round on Sunday. The company, however, only published one of those domains, and didn't reveal why it was so confident that Fancy Bear was behind the alleged phishing campaign.
Now, other researchers are finding new clues that appear to point to Fancy Bear.
Investigating the information associated with onedrive-en-marche[.]fr, the only domain publicly identified by Trend Micro in its report, a researcher pinpointed three other domains connected to it, and apparently controlled by the same hackers. The three domains are portal-office[.]fr, accounts-office[.]fr, and mail-en-marche[.]fr. As we explained on Monday, it would make sense to use fake domains that mimic the real domain—en-marche.fr— and the name of his party (En Marche) to target Macron staffers.
All of the four fake domains were registered by someone using the same email address; email@example.com. (Whoever controls that account did not respond to a request for comment.)
Associated Press reporter Raphael Satter also found this link on Monday. And a Trend Micro spokesperson confirmed to Motherboard that these are indeed the four domains they identified.
Here's a graph showing all the connections and links between these domains.
At this point it's unclear how successful the hackers were in their alleged phishing campaigns against Macron.
Macron's party said in an emailed statement that it has been targeted by "at least five advanced operations of 'phishing' which targets rather largely and specifically the members of the campaign team," but all these were "blocked." Macron's digital chief, Mounir Mahjoubi, told the Associated Press that the attempts were "serious, but nothing was compromised." (En Marche did not respond to an email asking for more details about the phishing attempts.)
ThreatConnect, another security firm, delved into the little data that's public and found that there are indeed some links to Fancy Bear. In particular, the company pointed to the use of a @mail.com address to register the domains; an IP address (194.187.249[.]135) that was identified by the US Department of Homeland Security as being used by Russian hackers; and other associated IP addresses registered with the hosting service THCservers, which has been previously used by Fancy Bear. The company also identified a fifth domain (en-marche[.]co) allegedly linked to the other four phishing domains.
The attempts were "serious, but nothing was compromised."
All these tactics, according to ThreatConnect, are consistent with past tactics employed by Fancy Bear. But without more information on the actual phishing messages used against Macron, "we cannot definitively confirm that Fancy Bear is behind this," as Kyle Ehmke, senior intelligence researcher at ThreatConnect, told me.
Fancy Bear or no Fancy Bear, however, it's clear someone was trying to hack Macron. If some of his emails, or those of his staffers, mysteriously appear online before the second round of the elections on May 6 and 7, we'll get a better idea of who tried to hack him.
Subscribe to Science Solved It, Motherboard's new show about the greatest mysteries that were solved by science.