After a hacked US election covered in Russian fingerprints, it’s easy to assume that Friday’s megaleak of emails from France’s president-elect Emmanuel Macron was the Kremlin’s work, too. Russia, after all, has the motive, the means, and a very fresh track record of meddling in Western elections to sabotage center-left candidates. But this latest breach, for now, lacks conclusive fingerprints—and what few clues there are have only added to the confusion.
On Friday, nine gigabytes of emails from Macron’s En Marche party spilled onto the web in a collection of torrent files. Within hours, the party had issued a statement blaming that leak on hackers intent to disrupt the democratic process. In the days since, armchair cybersecurity analysts and the media have been quick to conclude that the attack and data dump must have been the work of the same Russian hackers who plagued the US election last summer and fall.
But outside observers who have examined the digital evidence say it’s still too early to draw that conclusion. And doing so not only helps other countries and non-state hacker groups who might use Russia as cover, but also cheapens the act of accusing Russia in cases where the evidence is far stronger—like in last year’s brazen US election interference.
Plenty of clues do point to Russia as the source of the Macron leaks. But unlike in the case of the US election, those clues don’t yet add up to a clear, glowing trail to Red Square, says Thomas Rid, a professor at King’s College London department of War Studies. “I do think this is more likely than not a Russian operation, but I’d put this at more like 60 percent at this stage,” says Rid, who recently testified at a Senate hearing about Russian interference in the US presidential election. In that case, by contrast, Rid says he has zero doubt that the Kremlin—and specifically a hacking group known as Fancy Bear, or APT 28—was the culprit. But in the Macron case, Rid says, “none of the pieces of evidence that has come out so far is particularly strong in forensic terms. We only have circumstantial evidence. We can’t exclude the possibility that someone is trying to frame someone else.”
A stronger case exists that Russian hackers at least tried to hack the Macron campaign. Late last month, the security firm Trend Micro revealed that the Fancy Bear hacker group, which it calls Pawn Storm, had registered a phishing domain in March designed to impersonate a Microsoft file storage URL for Macron’s party. At the time, En Marche denied that phishing attempt had been successful. And on Monday, even Trend Micro wouldn’t definitively link the pre-election leak with the earlier Russian efforts.
“Trend Micro does not have evidence that this is associated with the group known as Pawn Storm,” the company wrote to WIRED in a statement. “The techniques used in this case seem to be similar to previous attacks. However, without further evidence, it is extremely difficult to attribute this hack to any particular person or group.”
Some of the leaked Microsoft Office files contain an even stranger clue: Cyrillic-character metadata, suggesting they were opened at some point by a computer with Russian-language software settings. The Twitter feed for WikiLeaks points to nine instances in the metadata of the name Roshka Georgiy Petrovich, reportedly an employee of the Russian intelligence contractor Eureka. But that apparent metadata slipup was so clear that some cybersecurity analysts discount it as a possible misdirection technique.
“Obviously if I’d done it, I’d go to the .xml files and set this up for people to find it,” says Rob Graham, a cybersecurity consultant for the security firm Errata Sec, who downloaded the files Friday. “We all believe it’s probably Russia, but this really isn’t evidence that it is Russia.”
— WikiLeaks (@wikileaks) May 6, 2017
“We have confusing details that look somewhat deliberate to me. Is someone trying to frame these people?” asks Rid. He speculates that the Russian government might even be setting up Eureka or Petrovich as a “fall guy” for earlier operations, but admits that’s only wild speculation, not any sort of hard conclusion. “We don’t know. I would be very cautious at this point to try to make any strong attribution claims.”
Even Macron’s campaign has seemed hesitant to blame Russia. Its initial statement on the hack compared the intrusion to the breaches of Democratic targets during the US election, but didn’t go so far as to name its own attackers as Russian. In an interview with Radio France Monday, Macron’s director of digital operations Mounir Mahjoubi pointed to Russian state-controlled media and supporters of the opposing party the National Front as helping to spread the stolen information, but again didn’t name Russia as the source of the attack or leak. The Macron campaign hasn’t responded to WIRED’s requests for comments.
Getting It Right
None of that leaves Russia blameless. If anything, it highlights just how strong the evidence is that Russia did meddle in the US election.
Before any files had even leaked from the Democratic National Committee or the Clinton campaign, after all, cybersecurity firms including Crowdstrike, FireEye,and Flashpoint all pointed to the known Russian hacker group Fancy Bear based on familiar malware and command-and-control servers. When the files did leak, they again contained Cyrillic metadata, albeit with less glaring identifying details than in the Macron case. And the same account created the shortened phishing URLs sent to Clinton campaign staffer John Podesta as targeted dozens of Russia-focused journalists, political activists, and NGOs. Finally, all US intelligence agencies collectively issued an assessment that the attacks were the work of the Kremlin, though without revealing any new public evidence.
Analysts digging into the Macron attack for now presume that it started with a phishing attack that stole members of the campaign staff’s credentials. That’s a simpler technique than the sort of malware-based intrusion that hit the DNC, and one that both leaves less evidence behind and could be performed by lower-resource, non-state attackers. Crowdstrike, which was the first to identify Fancy Bear as the intruder in the DNC hack and analyze the malware used, declined WIRED’s request for comment on the Macron leak, writing that it “doesn’t have any conclusions” in the case.
The fact that attribution remains an open question in the Macron case doesn’t mean countries should take the Fancy Bear threat any less seriously. Trend Micro’s report noted that the group had registered phishing domains to target the political party of German chancellor Angela Merkel, too; Germany’s election comes in September, and is widely considered the next likely target for Russian electoral mischief.
But as the democratic world seeks to deter that rising form of political hacking, it will need to be clear about the difference between suspicion and guilt. That makes it all the more important to draw a line between the hackers who were caught red-handed, and ones who fit conveniently into the lineup of usual suspects.