Researchers link Macron hack to APT28 with ‘moderate confidence’

"Flashpoint’s hypothesis [is] that the Macron leak was undertaken by Fancy Bear."
Paris call for trust
Emmanuel Macron (French Embassy in the U.S. / Flickr)

This story has been updated.

The cybersecurity firm Flashpoint linked the hacking and leaking of French President Emmanuel Macron’s emails to Fancy Bear, the hacking group also known as APT28.

“Flashpoint’s hypothesis [is] that the Macron leak was undertaken by Fancy Bear based on the contents of the dump itself, as well as the current and historic political environment in which this attack took place,” said Vitali Kremez, research director for Flashpoint. APT28, which has been linked to Russian intelligence agencies, was blamed for hacking Hillary Clinton’s campaign and the Democratic National Committee in 2016. Researchers have recently linked other high-profile phishing attempts to the group.

“Our assessment of the Russian APT28 interference in the recent French elections was based on a multitude of facts to support our findings,” Tom Hoffmann, Flashpoint’s vice president of intelligence, told CyberScoop. “The recent leak of Macron documents fits into a pattern of cyber activity directed against Western government entities that has been traced to Russian threat actors, and specifically to Fancy Bear, over the course of a number of years. This threat group has traditionally undertaken attacks that align with the geopolitical interests of the Russian Federation.”


Hoffmann pointed to a report by Trend Micro showing Russian cyber operations against the Macron campaign, the Macron campaign’s own claims of cyber operations against it, an apparent but unproven attempt to scrub metadata from the leaked data that linked the operation to a Russian company with several government security contracts, the alignment with Russian geopolitical goals and other similarities (including the use of social media bots and disinformation campaigns) to previous Fancy Bear-linked operations. Additionally, Hoffman points to Admiral Mike Rogers’ statement on US communications with France regarding Russian cyber activity,

“Any one of these data points in and of themselves doesn’t point us to APT28 or Russia,” Hoffmann said. “But I think when you look at all these data points together, that’s what led us to make that moderate confidence assessment that it was APT28.”

An April 2017 report from TrendMicro identified numerous cyber-operations involving both phishing and malware traced back to APT28. Part of TrendMicro’s research and subsequent reporting by the cybersecurity firm ThreatConnect identified specific domains belonging to Fancy Bear in order to attack the French campaign.

Moscow’s geopolitical interest in the French election is also crucial for context when evaluating cyberattacks against Macron. Marine Le Pen, the far right-wing nationalist who finished second in the election, made numerous campaign promises that align with stated Russian interests, including ending sanctions against Russia, recognizing Crimea as a part of Russia and withdrawing France from the European Union.

The leaked data also came with telling metadata pointing to edits made by Рошка, Георгий Петрович (Georgy Petrovich Roshka), a name linked to Evrika, a Russian intelligence contractor. The metadata has raised many eyebrows but is hardly definitive because it could easily be forged.


Earlier this week, Adm. Michael Rogers, who leads both the U.S. Cyber Command and the NSA, testified that the NSA tracked Russian hackers working against French political targets and then alerted French authorities prior to the “massive and coordinated hack” against the campaign of President-elect Emmanuel Macron. Reports of Russian cyber-operations against Macron have been public since at least January. Macron won the election with around two-thirds of the vote but upcoming major elections around Europe carry the specter of further hacking and interference.

“If this is APT28, then they have not abandoned this tool,” John Hultquist, a senior analyst at the cybersecurity firm FireEye, told CyberScoop. “We can anticipate they’ll continue to use it until the consequences for these actions are greater.”

What comes next will help define the future of Europe. The United Kingdom’s general election on June 8, French legislative election are on June 11 and 18 and German federal elections take place on Sept. 24.

Correction: A review by cybersecurity firm Area 1 Security of a previous version of this story revealed a technical error that had led to inaccurate analysis by Flashpoint. Flashpoint acknowledged and apologized for the mistake but stands by its overall assessment of “moderate confidence that the group is likely linked to Russia’s Main Intelligence Directorate (GRU)” and, furthermore, with APT28.

The previous version of the story included a screenshot pointing to phishing domains said to be linked to Fancy Bear and used against Macron. The screenshot Flashpoint offered showed the tool Autopsy with the keyword search “” — suggesting that a malicious domain was present. In fact, a bug in Autopsy inserted characters and led to a false conclusion about the links in the leaked data.


CyberScoop has removed the screenshot of the bugged Autopsy tool to avoid further confusion.

Latest Podcasts