Everyone saw the hackers coming.
The National Security Agency in Washington picked up the signs.
So did Emmanuel Macron’s bare-bones technology team.
And mindful of what happened in the American presidential campaign,
the team created dozens of false email accounts, complete with phony documents, to confuse the attackers.
The Russians, for their part, were rushed and a bit sloppy, leaving a trail of evidence
that was not enough to prove for certain they were working for the government of President Vladimir V. Putin
but which strongly suggested they were part of his broader “information warfare” campaign.
The story told by US officials, cyberexperts and Macron’s own campaign aides of how a hacking attack —
intended to disrupt the most consequential election in France in decades ended up a dud — was a useful reminder that
as effective as cyberattacks can be in disabling Iranian nuclear plants, or Ukrainian power grids, they are no silver bullet.
The kind of information warfare favored by Russia can be defeated by early warning and rapid exposure.
With only 18 people in the digital team, many of them occupied in producing campaign materials like videos,
Mahjoubi hardly had the resources to track down the hackers.
“We didn’t have time to try to catch them,” he said.
But he has his suspicions about their identity.
Simultaneously with the phishing attacks, the Macron campaign was being attacked by the Russian media with a profusion of fake news.
Oddly, the Russians did a poor job of covering their tracks.
That made it easier for private security firms, on alert after the efforts to manipulate the US election, to search for evidence.
In mid-March, researchers with Trend Micro, the cybersecurity giant based in Tokyo,
watched the same Russian intelligence unit behind some of the DNC hacks
start building the tools to hack Macron’s campaign.
They set up web domains mimicking those of Macron’s En Marche! Party,
and began dispatching emails with malicious links and fake login pages
designed to bait campaign staffers into divulging their usernames and passwords,
or to click on a link that would give the Russians a toehold onto the campaign’s network.
It was the classic Russian playbook, security researchers say, but this time the world was prepared.
“The only good news is that this activity is now commonplace, and the general population is so used to the idea of a Russian hand behind this, that it backfired on them,”
said John Hultquist, the director of cyberespionage analysis at FireEye, the Silicon Valley security firm.
Hultquist noted that the attack was characterized by haste, and a trail of digital mistakes.
“There was a time when Russian hackers were characterized by their lack of sloppiness,” Hultquist said.
“When they made mistakes, they burned their entire operation and started anew.
But since the invasion of Ukraine and Crimea, we’ve seen them carry out brazen, large scale attacks,”
perhaps because “there have been few consequences for their actions.”
The hackers also made the mistake of releasing information that was, by any campaign standard, pretty boring.
The nine gigabytes worth of purportedly stolen emails and files from the Macron campaign was spun as scandalous material,
but turned out to be almost entirely the humdrum of campaign workers trying to conduct ordinary life in the midst of the election maelstrom.
One of the leaked emails details a campaign staffer’s struggle with a broken down car.
Another documents how a campaign worker was reprimanded for failure to invoice a cup of coffee.
That is when the hackers got sloppy.
The metadata tied to a handful of documents — code that shows the origins of a document —
show some passed through Russian computers and were edited by Russian users.
Some Excel documents were modified using software unique to Russian versions of Microsoft Windows.
Other documents had last been modified by Russian usernames, including one person that researchers identified as
a 32-year-old employee of Eureka CJSC, a Moscow-based technology company that works closely with the Russian Ministry of Defense and intelligence agencies.
The company has received licenses from Russia’s Federal Security Service, or FSB, to help protect state secrets.
The company did not return emails requesting comment.
Other leaked documents appear to have been forged, or faked.
One purported to detail the purchase of the stimulant mephedrone, sometimes sold as “bath salts,”
by a Macron campaign staffer who allegedly had the drugs shipped to the address of France’s National Assembly.
But Henk Van Ess, a member of the investigations team at Bellingcat, a British investigations organization, and others
discovered that the transaction numbers in the receipt were not in the public ledger of all Bitcoin transactions.
“It’s clear they were rushed,” Hultquist said.
“If this was APT28,” he said, using the name for a Russian group believed to be linked to the GRU, a military intelligence agency,
“they have been caught in the act, and it has backfired for them.”
Now, he said, the failure of the Macron hacks could just push Russian hackers to improve their methods.
“They may have to change their playbook entirely,” Hultquist said.