Macron campaign team used honeypot accounts to fake out Fancy Bear

Enlarge / Newly elected French president Emmanuel Macron poses with a woman for a selfie. (credit: PATRICK KOVARIK / Getty Images)

The failed effort by Russian attackers to influence the outcome of the French presidential campaign in its final hours was in part a forced error, thanks to an active defense by the digital team of French president-elect Emmanuel Macron's campaign organization, the digital director of the campaign has claimed. Campaign team members told the New York Times that as the phishing attacks mounted, they created a collection of fake e-mail accounts seeded with false information.

"We created false accounts, with false content, as traps," Macron campaign digital director Mounir Mahjoubi told the Times. "We did this massively, to create the obligation for them to verify, to determine whether it was a real account."

The move was a delaying tactic aimed at increasing the attacker's workload. The "honeypot" accounts were filled with large volumes of fake documents. "That forced them to waste time, by the quantity of the documents we put in and documents that might interest them,” Mahjoubi said. "Even if it made them lose one minute, we’re happy.”

Read 2 remaining paragraphs | Comments

Evidence suggests Russia behind hack of French president-elect

Enlarge / A last-minute information operation against French presidential candidate Emmanuel Macron did not stop him from winning Sunday's run-off election. But it did have the fingerprints of Russia all over it. (credit: Getty Images/ Chesnot )

Late on May 5 as the two final candidates for the French presidency were about to enter a press blackout in advance of the May 7 election, nine gigabytes of data allegedly from the campaign of Emmanuel Macron were posted on the Internet in torrents and archives. The files, which were initially distributed via links posted on 4Chan and then by WikiLeaks, had forensic metadata suggesting that Russians were behind the breach—and that a Russian government contract employee may have falsified some of the dumped documents.

Even WikiLeaks, which initially publicized the breach and defended its integrity on the organization's Twitter account, has since acknowledged that some of the metadata pointed directly to a Russian company with ties to the government:

Evrika ("Eureka") ZAO is a large information technology company in St. Petersburg that does some work for the Russian government, and the group includes the Federal Security Service of the Russian Federation (FSB) among its acknowledged customers (as noted in this job listing). The company is a systems integrator, and it builds its own computer equipment and provides "integrated information security systems." The metadata in some Microsoft Office files shows the last person to have edited the files to be "Roshka Georgiy Petrovich," a current or former Evrika ZAO employee.

Read 5 remaining paragraphs | Comments

Fancy Bear ramping up infowar against Germany—and rest of West

Enlarge / The bear is back. It never went away.

US intelligence agencies have been forthright in their insistence that the Russian government was behind not only the hacking of the Democratic National Committee (DNC) and other political organizations in the US, but a concerted effort to undermine confidence in the results of the US presidential election, including attacks on state election officials' systems. But the US is not the only country that the Russian government has apparently targeted for these sorts of operations—and the methods used in the DNC hack are being applied increasingly in attempts to influence German politics, Germany's chief of domestic intelligence warned yesterday.

In a press release issued on December 8, Germany's Bundesamt für Verfassungsshutz (BfV)—the country's domestic intelligence agency—warned of an ever-mounting wave of disinformation and hacking campaigns by Russia focused on increasing the strength of "extremist groups and parties" in Germany and destabilizing the German government. In addition to propaganda and disinformation campaigns launched through social media, the BfV noted an increased number of "spear phishing attacks against German political parties and parliamentary groups" using the same sort of malware used against the Democratic National Committee in the US.

The statement from the BfV came on the same day that Alex Younger, the chief of the United Kingdom's Secret Intelligence Service (MI6) made more veiled references to disinformation and hacking campaigns. In remarks Younger delivered at Vauxhall Cross, MI6 headquarters, he warned of the mounting risks posed by "hybrid warfare."

Read 6 remaining paragraphs | Comments

Fancy Bear goes all out to beat Adobe, MSFT zero-day patches

It's been go time for spear phishing as the window for Adobe and Windows zero-day exploits closes with recent patches. (credit: Wikipedia)

A Russia-based hacking group is seeking to maximize the value of its zero-day exploits before patches issued by Adobe (released on October 26) and Microsoft (released yesterday) become widely available. In a report issued today, researchers at Trend Micro noted that spear phishing activity—malicious e-mails sent to "various governments and embassies around the world"—had ramped up significantly after these exploits were announced.

The flaws, discovered last week by Google's Threat Analysis Group, have been used in a long-running spear-phishing campaign against government, political, and military targets in the US and Europe. It's all an apparent intelligence collection effort run by the group known variously as Pawn Storm, Fancy Bear, APT28, Sofacy, and Strontium. This is the same group blamed for the hack of the Democratic National Committee and the e-mail accounts of Hillary Clinton Campaign Chairman John Podesta, former Secretary of State Colin Powell, and other political figures in the US.

While Adobe patched the vulnerability (CVE-2016-7855) with an emergency update on October 26, the Microsoft vulnerability was not patched until November 8. That's more than a week after Google announced the discovery of the exploit.

Read 5 remaining paragraphs | Comments