An email with an infected link, opened by a staff member from Emanuel Macron’s headquarters, is the most likely vector of the attack that led to the leak of nine gigabytes of data from the email boxes of four Macron assistants, as well as OneDrive archive files. The handwriting is the same as in the case with the American Democratic Party emails that leaked to Wikileaks and were used by Trump fans to discredit Hillary Clinton. In this case, however, Wikileaks has no connection with the leak, but ironically broadly circulated… a Russian connection discovered earlier by Bivol.

 

Wikileaks even expressed their astonishment that, besides them and Bivol, no other media organizations were investigating the origin and the authenticity of the leaked data.

The information that Macron’s headquarters has been the subject of attacks from Russia-related hacker groups Pawn Storm and Fancy Bear was published as early as April 25, 2017, by Daily Beast. The publication cites a security expert who describes the phishing methods that have been used and brags that they have been detected and even counterattacked. The phishing attack seems to have succeeded after all. This is confirmed by, both, the statement from the Macron headquarters and the ongoing investigation by the French prosecutor’s office.

Delayed timing

The data stolen from the emails of Macron’s campaign staff members, and perhaps from the OneDrive cloud archive, was published in the US forum 4chan just hours ahead of the so-called “Day of Reflection” in France (the day preceding Election Day – editor’s note). Macron’s headquarters immediately reported they were the victims of a hacker attack, and the French Central Electoral Commission reminded the media in a special message that they are banned from reporting any news related to the political campaign until the closing of the polls and news and stories that could harm or benefit one of the candidates.

The people behind the leak most likely knew about these provisions and apparently did not rely on mass media coverage of discrediting information, but on rumors and insinuations citing the leak. It was impossible in the few remaining hours until the opening of the polls to read, analyze, and verify for authenticity the messages from the large mailboxes containing gigabytes of information. This fact, in addition to the media blackout, made possible the wide spread of fake news that could not be verified and refuted by an accurate fact checking. The subsequent hyperactivity surrounding the #MacronLeaks hashtag, launched by an American far right-wing activist confirms this hypothesis.

 

This activist, named Jack Posobiec, also very vigorously circulated documents from the previous cyber attack against Macron, which leaked on 4chan shortly before the presidential debate between Marine Le Pen and Emmanuel Macron. These files, which were fabricated, as it turned out, inculcated that Macron has a secret account in the Cayman Islands.

But there is another sign that this was the desired scenario:

Evidence of fake news is found in the leak

in the form of selected files, divided into three separate folders.

The first folder, entitled Macron_201705, contains an insurance contract between Allianz and Emmanuel Macron in case his election result fails to cross the 5% ceiling required to receive a subsidy for his party.  A SWIFT transaction for the insurance premium is attached. There is nothing scandalous about this, but the anti-Macron trolls immediately spread the information about the transaction on social networks, presenting it as a suspicious money transaction.

https://twitter.com/JackPosobiec/status/860584992702910464

The second folder, named Gemplus, contains internal documents, dating back to 2001-2002, of a smart card maker. The scandalous businessman and arms broker Ziad Takieddine, involved in the alleged Libyan funding of Nicolas Sarkozy’s campaign, has a stake in Gemplus. Part of the documents is related to a big deal between several French arms companies and Saudi Arabia for a new border control system. All this has nothing to do with Macron. But it was also spread by Twitter trolls as “evidence” that Macron has secret money dealings with Saudi Arabia and Sarkozy.

The third folder is the most interesting one. It contains 26 files, numbered 11 to 32, which contain financial reports, budgets and business plans for Macron’s political campaign. There is nothing outrageous in their content, but, once again, they were spread by trolls, with an emphasis on the wages of people working for Macron’s campaign and the cost of people polling.

 

However, the flop happened precisely in these files.

Russian connection

The Russian connection did not fit the scenario of the troll campaign at all, even on the contrary. At first, watchful observers from Generation Nouvelle Republique found metadata in Russian in the Excel files.

 

Nine of these files show the name of Georgiy Petrovich Roshka, something that was first established by Bivol.

On the basis of Bivol’s tweet, the Russian The Insider published a blitz survey showing that a person with the same name is an employee of the Russian IT company Eureka, which has contracts with Russian State institutions. Later, Wikileaks confirmed this report and published information that Eureka had a license from the FSB to handle classified information.

The origin of these files is not very clear, as they may come from the emails, or from the archives of Macron’s party in OneDrive. Metadata analysis shows that they were recorded at five-minute intervals on March 27, 2017. The most recent emails in the archives are from April 24, 2017, which means that the hackers had long accessed the system without being spotted.

The metadata from the folder with business information related to Macron’s campaign

What are we learning from the nine files with Roshka’s signature?

  • All contain budget tables for the upcoming campaign. The content says this was a Business Plan, but with different versions and dates;
  • All nine files with Roshka’s signature have a creation date of 2016-05-05T16:46:06Z. The other 17 files have been created on 2006-09-16T00:00:00Z;
  • The email of the Macron campaign Treasurer, Cédric O (this is his full name), has four Excel files whose names start with “Business Plan”. The first one dates from March 5, 2016, followed by a file from May 5, 2016, and two more from later dates – May 16, 2016, and May 17, 2016;
  • All files in Cédric’s e-mail with the name “Business Plan” are encrypted;
  • The content of the four files, signed by Roshka, points to the date March 27, 2016, which is earlier than the first Cédric email messages found in the leak;
  • The other 17 files in the folder that are not signed by Roshka, are also found in Cédric O’s mail, but they are not encrypted.

The most obvious conclusion is that Roshka has worked specifically on the files that contain the business plan of Macron’s campaign. A very likely scenario is that the files were opened in a Russian version of MS Office, and with the subsequent recording on the disc under another name, metatags in Russian and Roska’s name were left in them.

At this stage, many questions remain that data analysis cannot answer. Did the said Roshka have anything to do with the decryption of the files or did he obtain them from OneDrive? Was his name left in the file by mistake or was the metadata specifically entered to attract attention? The answers will be provided by the investigating authorities who will have the originals of the stolen information, as well as much more tools to analyze the origin and the timing of the hacker attack.

 

This post is also available in: Bulgarian