Seventy-two hours before Emmanuel Macron was pronounced the new president of France, nine gigabytes of alleged staffer’s emails were posted online by hackers. However, the hackers were reportedly partly foiled by the candidate's ingenious tech team, led by 33-year-old Mounir Mahjoubi.
In interviews, Mahjoubi claimed his team was able to slow the hackers down through misdirection. The hackers relied on so-called phishing emails — the same tactic used against the Hillary Clinton campaign — that direct users to a fake login page. Once the unsuspecting user types in their credentials, the fake page actually sends the username and password back to the hackers.
“You can flood these [phishing] addresses with multiple passwords and log-ins, true ones, false ones, so the people behind them use up a lot of time trying to figure them out,” Mahjoubi said in an interview with The Daily Beast. It’s unclear when the hack actually took place, but emails from the Macron campaign appeared online on Friday.
In other words, the Macron team apparently identified some of the phishing emails sent to campaign staff and responded by filling out the malicious login pages with fake usernames and passwords.
Is this kind of defense actually feasible, and if so, how effective would it be? After all, hackers still made off with “five entire mail boxes,” as Mahjoubi told French public radio, that were personal accounts belonging to “important people in the organization chart” including “the financial officer of the organization.”
But Morgan Marquis-Boire, the director of security for First Look Media and a former senior security engineer at Google, believes it is both technically possible and pretty savvy to feed hackers fake information.
“If you think about this whole thing as an intelligence operation and think back to whatever you remember of Cold War spycraft from television shows, if you know that you're being overheard then you will probably to say things that you want the adversary to listen to,” Marquis-Boire told The Outline. “For instance, if you know your phone call is being tapped, then relaying false information is not bad tradecraft.”
Marquis-Boire said that in theory the Macron campaign could have replied to a phishing email with login credentials for a dummy email account specifically for the purpose of deception filled with mail that looks like whatever you want it to. Or, Marquis-Boire said, one could replicate a legitimate email inbox, but remove “information that is actually sensitive and replacing it with stuff that is, you know, what you want the adversary to read.”
The Macron campaign still got pwned, but pushing false login credentials may have slowed the hackers down. Such tactics may be increasingly important for political campaigns as they are targeted by sophisticated hackers. The Department of Homeland Security and the Director of National Intelligence jointly accused Russia of hacking the Democratic National Committee, and hearings investigating Russian influence in the US election are ongoing.
It’s unclear if Russian hackers were behind the Macron hack, but early analysis by cybersecurity firm Trend Micro shows that the attacks against Macron’s campaign are similar to previous attacks carried out by Fancy Bear (also known as Advanced Persistent Threat 28, or the groups linked to hacking Clinton campaign chairman John Podesta and the Democratic National Committee).
“We don’t know specifically what was used in their attacks,” Jon Clay, global threat communications manager at trend Micro told The Outline. “What we do know is phishing domains were created and published to most likely support some form of credential phishing attack.”
The threat of well-funded nation state hackers attacking major political campaigns is the new reality, and campaigns have no choice but to dedicate similar resources to battling it.
“The problem with a nation state adversary is that they are organized and generally very well resourced and so you do need a dedicated team to worrying about the specific problem,” Marquis-Boire said. “Because if it is someone's job everyday to attack a target, this means that the target equivalently has to devote resources. And it did appear Macron had a team dedicated to this, which is smart.”
“And it did appear Macron had a team dedicated to this, which is smart.”
Of course, the hackers still got what appear to be gigabytes of real emails from Macron’s campaign. The politician was able to avoid damage to his reputation not because of his tech team, but because of a mandated blackout around campaigning and media coverage that begins two days before polls close. When the documents were released, the French National Election Commissioned warned media outlets about reporting on the documents, releasing a statement reminding media outlets of potential legal repercussions: “The Commission stresses that the dissemination or republication of such information, fraudulently obtained and which may, in all likelihood, have been mixed with false information, is liable to be classified as criminal in several respects for which its authors will be held responsible.”
If Macron and other politicians want to fight hackers in the future, the best move would be for the head tech officers at campaigns and in government to share intelligence about the threats they’re facing as well as the tactics they use to counteract them. “An aggressive defense in a digital sense starts to move into counterintelligence,” Marquis-Boire said. “There's kind of a blur.”