Hacked Russia Makrona? The evidence is far from conclusive

It looks like Russia, you do feel it, so perhaps it was surely Russia. This version adheres to a community of security professionals that at the moment, trying to figure out who stole the data members of the election headquarters of the elected President of France Emmanuel Makron.

Take, for example, the company FireEye, which first announced that hackers hacked the system of the national Committee of the Democratic party and is known as APT28 and Fancy Bear, worked on Russia. These hackers are now the main suspects in the terrorist attacks on representatives of the election headquarters of Macron, whose data appeared on the Internet on Friday, may 5, two days before the second round of presidential elections in France.

Representatives of FireEye stated that the relations between the group and APT28 hacking attack on the Makron is mostly set on the basis of “TTP” — “tactics, techniques and procedures.” Attacked Makron hackers — starting with phishing attacks and ending with the dissemination of information, including through the Wikileaks account on Twitter — used by many TTP that was characteristic for attacks APT28. About this informed the head of cyber espionage company FireEye John Hultquist (John Hultqvist).

In addition, it was discovered two IP addresses — both are European — which were used during phishing attacks on the campaign headquarters of Macron: onedrive-en-marche.fr and mail-en-marche.fr. Experts of company Trend Micro before the leak reported that, in their opinion, these websites are created in March and April, belong to the Fancy Bear.

However, Hultquist only said that this attack “is possible”, held hackers APT28 — groups, which, in the opinion of the American government, directs the spy division of the Kremlin, the Main intelligence Directorate (GRU). “Many predicted a similar incident and it was preceded by such hacking activity, which is characteristic of APT28,” said Hultquist. But he added that “the extreme attention with which the enemy reacted to security operations, can significantly reduce the capabilities of experts in their search for the perpetrators of the attack.”

Although these phishing domains may have been used to carry out hacking attacks on Him and his supporters, there is no conclusive evidence that these attacks were successful and what they led to leakage. Simply put, the experts were not able to find data that would allow to establish a direct link between the well-known command-administrative domains Fancy Bear and hacking of the systems movement “Forward!”

Company CrowdStrike, which found a lot of data pointing to the involvement of presumably Russian group Fancy Bear to hacker attacks on the system of national Committee of the Democratic party, too, are unable to find specific technical connection between them, a preliminary analysis of the available data. (The experts came to the conclusion that they have no opportunity to conduct a detailed and comprehensive analysis.)

Russia has repeatedly denied any involvement in the cyber-interference in the American presidential election and other cyberspying campaigns. The Kremlin did not respond to a request for comment on information about his possible involvement in hacker attacks against the representatives of the headquarters of Macron.

Cyrillic is misleading?

The involvement of Russia can point to another fact. However, this may well be a red herring.

Metadata in the leaked files of the election headquarters of Macron was discovered the Cyrillic alphabet. It is unclear how she got there. Was it a mistake? Or is it a diversion? To answer these questions is impossible.

This metadata was there because these files have been edited in the Russian version of Microsoft Excel. It turned out that half of the changes made by the user named “Rosca George Petrovich” — such conclusion was made by Chris Domaine (Chris Doman) from AlienVault. The company stressed that it might be fake information, specially laid down by hackers, the result of an error or hacker consequence of the fact that this attack could be implicated any unsuspecting user with the same name.

As said Domaine, he found “no unambiguous data”, which would allow us with certainty to connect two phishing domain identified by Trend Micro data leakage from the headquarters of Macron, “though it seems possible.”

The situation is complicated by the fact that Mahjubi Mounir (Mounir Mahjoubi), responsible for digital technology at the headquarters of Macron, the French media hinted that the supporters of Macron may themselves have placed on their server data fake as bait, which was to attract the hackers and force them to steal tagged data. Such lures are often used in order to track the actions of hackers.

In contrast to the situation with the national Committee of the Democratic party, the search for those behind hacking attacks on the campaign headquarters of Macron, has proved much more challenging.