The campaign of Emmanuel Macron, the favorite to win France’s presidential election, has been targeted by a cyber-espionage group linked by some experts to the Russian military intelligence agency GRU.
Feike Hacquebord, a researcher with security firm Trend Micro, said he had found evidence that the spy group, dubbed “Pawn Storm”, targeted the Macron campaign with email phishing tricks and attempts to install malware on the campaign site.
He said telltale digital fingerprints linked the Macron attacks with those last year on the US Democratic National Committee (DNC), the campaign of presidential candidate Hillary Clinton, and that similar techniques were used to target German Chancellor Angela Merkel’s party in April and May of 2016.
“We have seen that phishing sites were set up and the fingerprints were really the same actors as in the DNC breach,” Hacquebord told Reuters.
Russia denied any involvement in the attacks on Macron’s campaign.
Security experts say Pawn Storm is known to let time pass before leaking stolen documents and that any hacking of Macron’s campaign in recent months is unlikely to influence the run-up to the 7 May second round. But, if documents have been stolen, they could be used to undermine Macron’s presidency should he win.
A spokesman for French government cyber security agency ANSSI confirmed the attacks on the Macron campaign, but declined to say whether the Russian-linked group was to blame.
“What we can establish is that it’s the classic operation procedure of Pawn Storm,” the spokesman said. “However, we will not attribute the attack because we can very easily be manipulated and the attacker could pass themselves off as somebody else.”
The Macron campaign was not immediately available to comment.
In the run-off vote, Macron, a liberal internationalist who has been critical of Russian foreign policy, will face far-right leader Marine Le Pen, who has taken loans from Russian banks and advocated pro-Kremlin policies.
Hacquebord said the Pawn Storm group set up four fake email phishing accounts to mount attacks against Macron’s En Marche (Onwards), using a fake server located at onedrive-en-marche.fr and similar site names in March and April.
The attack was mounted using computers based in France, Britain and other countries, he said.
“These kinds of attacks are quite dangerous,” Hacquebord said. “Credential phishing is probably a very good way to try and compromise a political party.”
“Why Russia ?”
Pawn Storm, one of the world’s oldest cyber espionage groups, has also been called APT 28, Fancy Bear, Sofancy and Strontium by a range of security firms and government officials.
Security firm CrowdStrike has said the group may be associated with the Russian military intelligence agency GRU. Other US-based firms Dell SecureWorks, FireEye and ThreatConnect have also found ties to the Russian government.
Hacquebord’s Tokyo-based Trend Micro has consistently said conclusive proof of Russian involvement is hard given the difficulty of attributing cyber-attacks.
“What (hacking) groups? From where? Why Russia? This slightly reminds me of accusations from Washington, which have been left hanging in mid-air until now and do not do their authors any credit,” Kremlin spokesman Dmitry Peskov told reporters on Monday.
Hacquebord, author of a dozen reports over the past two years detailing the group’s methods, said the attacks he uncovered appear to differ from ones described by Macron’s campaign in February.
Richard Ferrand, secretary-general of En Marche, made the first direct accusation by a French political party that Russia was trying influence the outcome of the elections.
Ferrand told a news conference on 13 February that the En Marche campaign was being hit by “hundreds if not thousands” of attacks on its networks, databases and sites from locations inside Russia.
Pawn Storm has become widely known since 2014 for its increasingly brazen attacks against Western leaders, governments, militaries and industrial and media organisations.
Its origins date back a decade earlier to attacks on opposition activists in Russia and governments in neighboring countries such as Ukraine.