Hacking against France’s Macron previews dangers for other major European elections

“If this is APT28, then they have not abandoned this tool. We can anticipate they’ll continue to use it until the consequences for these actions are greater.”
Photo by Yukiko Matsuoka/Flickr (CC BY 2.0)

Last week’s “massive and coordinated hack” against the campaign of French President-elect Emmanuel Macron was the opening act in a year slated with critical European elections that will help decide the fate of the EU.

The incident was, for about 24 hours, a hold-your-breath moment for Macron’s campaign. By Sunday night, the centrist candidate handily won, taking more than 66 percent of the vote over far-right-wing rival Marine Le Pen. Le Pen’s global array of opponents exhaled.

But any reprieve for election systems’ cyber-defenders is destined to be brief. The United Kingdom, Germany and France are readying themselves for further elections and similar potential attacks. Experts have noted close similarities between this week’s leaked emails and hacks against American political targets in 2016 that were blamed widely on Russian intelligence agencies.

While most experts say it’s too early yet to definitively attribute these latest attacks to any specific group, many expect the coming year to be characterized by political hacking. John Hultquist, a senior analyst at the cybersecurity firm FireEye, told CyberScoop that the incident in France has some of the hallmarks of APT28 — the firm’s designation for the group known as Fancy Bear, which has been linked to Russian intelligence agencies.


“We definitely anticipate this is not the last time we see APT28 carrying out this sort of activity,” Hultquist said. “We are very concerned for their involvement in other elections in the U.K. and Germany especially,” Hultquist said.

After that, the U.S. midterm elections in 2018 are thought to be the next major target.

The three biggest remaining European elections of the year are:

  • The United Kingdom’s general election on June 8. Prime Minister Theresa May is defending the Conservatives’ majority in Parliament in an election centered around the U.K. leaving the E.U.
  • The French legislative election on June 11 and 18. Americans would do well to remember the significant differences in how the U.S. government works versus France. Because the French presidency is far less powerful than the American Oval Office, the so-called “third round” of French elections in June will ultimately decide the course forward for France.
  • The German federal election on Sept. 24. Chancellor Angela Merkel’s government is up for reelection. Security is the contest’s signature issue as Merkel, one of Europe’s most powerful politicians and a chief antagonist to Russian President Vladimir Putin, seeks her fourth term.

There were obvious and meaningful similarities shared by the hacking that took place during the 2016 U.S. presidential elections and this year’s French incident, but there has been no evidence or definitive attribution offered by public or private experts.


In addition to the pile of similarities to recent incidents, the Macron hacking comes with differences. For instance, absent this time around were the personas like Guccifer 2.0 who were used to publish and publicize leaked data in 2016.

“The problem with these fictitious personas is they were leveraged to further identify APT28’s hand in the activity,” Hultquist said. “There were forensic artifacts associated with the personas and the personas themselves were done pretty poorly. All those pieces gave us the upper hand. It’s possible the actors have recognized the dangers of using personas and are walking away from that method and are instead using WikiLeaks or posting things to Pastebin without context in order to prevent attribution.”

Threats extend well beyond a handful of major elections or official political institutions. Recent reports showed Russian hackers targeting various foreign journalists for years.

“Political figures are getting the message,” said Ed Cabrera, chief cybersecurity officer at Trend Micro. The open question is how that translates to action.

“The good news is that APT28 is not perfect,” Hultquist said. “They make mistakes regularly. We’ve had the ability on several occasions to proactively track them, my organization does that fairly regularly. We’ve found evidence of their activity as it arose, as they were preparing. For instance, infrastructure in the midst of carrying out their operations. A defender who was looking to interdict their activities could really take a proactive approach against them and it’s quite possible they could be successful.”


A Saturday morning report from the Daily Beast, citing Mounir Mahjoubi, the head of Macron’s digital team, said Macron’s camp planted bogus information and a flood of data as an active defense to counter espionage and information warfare.

Perhaps the biggest difference between the 2016 and 2017 political hacking was the reaction. Widespread consciousness of cyberattacks blamed on Russia led to the the incident in France, at least, landing with a thud. The incoming French leader is said to have hardened his views on Russia as a result of the campaign against him, a sign to some that the attack has “backfired.”

Exactly one month from today, the United Kingdom will head to the polls in order to elect their next government.

“If this is APT28, then they have not abandoned this tool,” Hultquist said. “We can anticipate they’ll continue to use it until the consequences for these actions are greater.”

Latest Podcasts