Hackers linked to the same Russian military unit that hacked Democratic computers in the United States during last year’s election also have sought to penetrate the networks of a leading candidate in France’s presidential elections, a leading cybersecurity firm says.
Researchers from Trend Micro, a global security software company, said Monday that Russian hackers took aim last month at the networks of Emmanuel Macron, a centrist who advocates a strong pan-European stance to combat meddling by Moscow.
Russian leader Vladimir Putin openly favors Macron’s opponent, Marine Le Pen, a far-right candidate who’s faced allegations that her campaign received Russian financing. Le Pen and Putin share antipathy toward the European Union.
Macron and Le Pen were the top vote-getters in Sunday’s first-round presidential elections, and will face one another in a runoff May 7.
The hackers who went after Macron are the same ones who penetrated the networks of the Democratic National Committee in 2015-16 and hacked emails of John Podesta, Hillary Clinton’s campaign chairman, which were later published by WikiLeaks, the anti-secrecy group, Trend Micro experts said.
The Russian hacking group is known by many names, including Fancy Bear, Pawn Storm, APT28, Strontium and Sofacy. Another cybersecurity group, ThreatConnect, says the hackers are linked to the GRU, an elite Russian military intelligence unit.
Trend Micro is to issue a comprehensive report on the group Tuesday, but experts there spoke in advance to describe the hacking group’s actions in the French elections.
A Dutch analyst for Trend Micro, Feike Hacquebord, said in an email that the hackers had set up fake internet domains on March 15 and on April 12, 14 and 17 that were similar to ones used by Macron’s En Marche! party or his official campaign.
The intent, he said, was that hackers could send “spearphishing” emails to people associated with the campaign and lure them to click on safe-sounding links that would allow hackers to get a foothold in networks.
They don’t give up easily. Like the name suggests, Pawn Storm will attack from different sides.
Feike Hacquebord, threat researcher at Trend Micro
“We did notify French authorities. Generally speaking, Pawn Storm is known to have very good social engineering skills,” Hacquebord said, referring to the GRU-affiliated unit by his company’s name for it. “They don’t give up easily. Like the name suggests, Pawn Storm will attack from different sides.”
Trend Micro gave the group the name Pawn Storm two years ago after a strategy in chess in which a player moves pawns in quick succession toward an opponent’s defenses.
It is not known whether the Russian hackers succeeded in gaining a foothold in the Macron campaign’s networks.
Hacquebord said a single registrant unrelated to Macron’s campaign had set up the domain names onedrive-en-marche.fr, portal-office.fr, mail-en-march.fr and accounts-office.fr – all designed to appear connected to his campaign or to the Microsoft cloud services it uses.
“They increase the likelihood that their targets will fall for the phishing with excellent social engineering, precise targeting and by registering domain names that are very similar to the domains of the legitimate Macron campaign and Microsoft services,” Hacquebord said.
The hackers went to the trouble of getting certificates so the disguised sites appeared even more legitimate and used encryption.
It’s definitely a shift in their strategy.
Ed Cabrera, chief cybersecurity officer for Trend Micro
“They take a great amount of energy to be able to disguise their attacks. It’s definitely a shift in their strategy,” said Ed Cabrera, chief cybersecurity officer for Trend Micro, which was founded in Los Angeles but now has its headquarters in Tokyo.
The hacking group also appears to be ramping up targeting of the German political establishment. Hacquebord said the Russian hackers had set up or activated domains this month to launch attacks on two prominent think tanks, Konrad Adenauer and Friedrich Ebert, foundations linked, respectively, with the Christian Democratic and Social Democratic parties. The German general elections are in September.
Macron’s campaign manager, Richard Ferrand, complained bitterly in February of “hundreds if not thousands of attacks” on the campaign’s computer networks.
During the campaign, Russian media strongly attacked Macron, a former investment banker, accusing him of being a “fraud” and a tool of the U.S. banking industry.
“What we want is for authorities at the highest level to take the matter in hand to guarantee that there is no foreign meddling in our democracy. The Americans saw it but it came too late,” Ferrand said, according to a Reuters report at the time.
U.S. intelligence agencies said in a report Jan. 6 that Russian state hackers, under direction from the Kremlin, had broken into networks of the Democratic Party and into emails of Clinton campaign officials in 2016 with the aim of assisting Donald Trump’s campaign.
Putin has dismissed the charges. After initially rejecting any Russian involvement in the hacking, Trump acknowledged earlier this year that Russia was responsible. The FBI is leading an investigation into the Russian meddling, and several committees on Capitol Hill also are conducting probes.