by Nathalie Bertrand — A hacking group linked by cybersecurity experts to Russia’s
military intelligence apparatus has begun taking aim at France’s
centrist presidential candidate, Emmanuel Macron, the
cybersecurity firm Trend Micro said in a report published on
Tuesday. On March 15, the group — known as Fancy Bear, Pawn Storm, Sednit,
APT28, Sofacy, or STRONTIUM — began registering domain names
like “onedrive-en-marche.fr” and “mail-en-marche.fr” in an
attempt to trick members of Macron’s campaign team into clicking
on links that looked affiliated with his political party, En
Marche.
“A huge revelation in this Trend Micro report is
that Fancy Bear has significantly upped the
sophistication of its cyber attacks,” said Greg Martin, the
CEO of cybersecurity firm JASK. “They’re taking advantage of
vulnerabilities in cloud-based email services like Gmail to trick
people into downloading fake applications, and compromising
their inboxes without even having to steal
a password.” Martin said that when targeted by this kind of attack,
known as “OAuth phishing,” the victim can’t just
change their password to regain access to their account. “It’s a new style of attack is very deadly and
unprecedented,” he said. “It’s the first time we have seen
this in the wild.”
A more primitive version of that phishing
technique was on full display during the US presidential
election. Emails stolen by Fancy Bear from the Democratic
National Committee and Hillary Clinton’s campaign chairman, John
Podesta, were fed to WikiLeaks and the website DCLeaks,
which is run by self-described hacker Guccifer 2.0, who
researchers believe was a persona created by Russian military
intelligence. “The cat got out of the bag in terms of the tools used in the DNC
cyberattacks, so Fancy Bear upped the ante this time around,”
Martin said.
Fancy Bear’s cyberespionage activities date back to the early
2000s, when hackers would implant malware on computers to record
users’ keystrokes and monitor the sites they visited. That
information would then be sent back to the malware creators in
Russia, according to Trend Micro.
As the firm said in its report, however, the hacking team’s
days of under-the-radar spying appear to be over.
Spanning the past two years, the group has taken on bigger
targets than ever before — including US, French, and German
political parties and candidates — by deploying phishing
attacks, stealing information, and then weaponizing it to
manipulate events and public opinion.
Cybersecurity experts caution that it is difficult to
definitively trace a cyberattack back to a particular
entity.
Igor Volovich, the CEO of ROMAD
Cyber Systems, said that the cyber artifacts used to trace
hacks back to particular actors are “fungible,” which makes
cyberattacks difficult to attribute.
“Using an IP address or a particular code to trace a hack back to
a particular actor — those things, on their own, are
inconclusive,” Volovich said in an interview. “But if you can
correlate multiple sources of data in the attribution [of a
hack], that adds a lot more credibility.”
According to Trend Micro, while Pawn Storm “makes good use of
webhosting providers in Western countries that offer privacy to
their customers,” the group still “has a clear preference for
some hosting providers, DNS service providers, and domain
registrars.” By monitoring those service providers, the firm
said, much of the group’s infrastructure can be spotted and
caught early.
And the fact that the hackers have consistently
targeted a range of actors that could easily be
characterized as Russian adversaries — including NATO,
the Organization for Security and Cooperation in Europe,
the US Anti-Doping Agency, the Ukrainian
military, and the president of Montenegro — has left researchers
with little doubt that the cyberattacks were sponsored by
the Kremlin.
In December, the cybersecurity firm CrowdStrike revealed
that the malware that Fancy Bear implanted on Android
devices to track and target Ukrainian artillery units between
2014-2016 “was a variant of the kind used to hack into the
Democratic National Committee,” the firm’s founder,
Dmitri Alperovitch told Reuters.
Russia has been fighting a proxy war with the Ukrainian
military since 2014, bolstering the likelihood that the
Russia’s main foreign military intelligence agency, the GRU,
would have attempted to compromise and track Ukrainian
artillery units sometime in the past three years.
The cyberattack, Alperovitch said at the time, “cannot be a
hands-off group or a bunch of criminals. They need to be in close
communication with the Russian military.”
The Russians would have been similarly motivated to compromise
the US Anti-Doping Agency — which, along with the World
Anti-Doping Agency, investigated Russia’s conspiracy to
corrupt its drug-testing system and ultimately banned dozens of
Russian athletes from last summer’s Olympics in Rio de
Janeiro.
In October, a Russian plot to overthrow Montenegro’s pro-Western
president — who has been negotiating the country’s accession into
NATO — was foiled at the last minute. State websites have since
been targeted by two waves of cyberattacks. The Montenegrin
government said the attacks were “planned and synchronized”
but stopped short of attributing them to Moscow.
The Russian government’s motivations to target France’s Macron,
meanwhile, have parallels to their attacks on the US election
last year: a desire to boost the more nationalistic,
Russia-friendly underdog (Marine Le Pen in France and
President Donald Trump in the US) and undermine the more
globalist, hawkish frontrunner (Macron in France and Clinton in
the US).
On Sunday, Macron and Le Pen won the first round of the
election in a historic upset that saw France’s two traditional
parties lose power for the first time in decades. The second
round of voting, set to take place on May 7, will be perceived as
a de-facto referendum on whether the nationalist fervor
sweeping the West has continued into 2017 — a movement that
propelled Trump into the White House last year and spurred
Britain’s exit from the European Union.
The stakes are high for Russia. Depending on who
wins, the French election could set the tone for a broader
European shift toward Moscow and away from Washington.
As France’s foreign
minister, Jean-Marc Ayrault, told the
French Journal du Dimanche, “It’s enough to see
which candidates, Marine Le Pen or Francois Fillon, Russia
expresses preference for in the French electoral
campaign.”
“Whereas Emmanuel Macron, who is pro-Europe, is being
targeted by cyberattacks,” he added.