In the early hours of the morning on May 22, 2014, four days before the Ukrainian presidential election, attackers breached the Ukrainian Central Election Committee (CEC) network. Silently, the attackers probed the infrastructure and, in doing so, identified critical servers designated for housing data and facilitating services used to run election operations. They then placed malware onto the servers, rendering the systems responsible for tallying votes obsolete.1
This attack against the Ukrainian Central Election Committee took place two years before the well-known interference in the 2016 U.S. election, and today Russia is accused of orchestrating both. But at the time, this attribution was unknown. The Ukraine attack involved sophisticated malware and tactics, as, allegedly, the malware injected the election systems with fake information designed to alter the vote count. The attackers then conducted a denial-of-service attack, preventing vote counts from reaching the central election servers. If the malware discovered on the vote tallying systems the day before had executed successfully, data from election nodes would have failed to reach the central election management systems, and there would have been no initial evidence to dispute the election results.
The level of expertise of this attack should have been an early warning to the world and an indicator of what was coming. U.S. media reported on the 2014 attacks promptly, but in the United States, most people didn’t pay it any mind; after all, the attacks took place in Ukraine, not within the United States. Yet, as you’ll see throughout this chapter, a retrospective look at the engagement’s operational details reveals that likely the same nation-state attacker conducted long-term, multipart attacks against Ukraine in 2014, the United States in 2016, and France in 2017. In each of these cases, state-backed hackers hid behind fake online personas and used misinformation campaigns to steer the election, casting doubt in citizens’ minds.
While the breach of election systems is the most discussed aspect of the attack against the Ukrainian presidential election, the operation actually began months earlier. Here is a timeline of the events leading up to the attack:
If the attack had succeeded, it could have changed the results of a national election. The harm probably wouldn’t have been permanent; officials and security experts would have likely investigated the results, identifying and correcting the operation’s outcome after the fact. However, such an event would have inevitably and significantly reduced the Ukrainian people’s faith in both the electoral process and the government itself. Additionally, it could have led to civil unrest, potentially mobilizing Yarosh’s supporters in Ukraine and Russia.
At the time of the attacks, a hacktivist group self-named CyberBerkut took credit for these incidents. On March 3, 2014, an anonymous registrant created the domain cyber-berkut.org. Shortly after, the website organizers began to post pro-Russian propaganda, specifically targeting the Ukrainian government and its allies. In addition to its website, the group used social media (such as Facebook, VK, and Twitter) to spread messages in support of the Ukrainian presidential candidate Viktor Yanukovych, who approved of Russia’s control and influence in Ukraine.
However, shortly after the group’s emergence, various clues began to indicate that CyberBerkut was no ordinary hacktivist group. At 6 pm on March 15, CyberBerkut posted a message on its website stating that it would execute an attack against three NATO-controlled domains (Figure 4-1).5
The attack lasted a day, leaving the site unavailable to users. This provided a hint that the group wasn’t composed of mere hacktivists. Notifying a target with the stature and government resources of NATO that you’re going to attack its infrastructure, and then successfully doing so, is rare for such groups. Moreover, CyberBerkut continued to conduct advanced hacking attacks during the time leading up to the election. In April 2014, the group compromised accounts of both Ukraine and U.S. government officials. Shortly after the attack, CyberBerkut publicly posted stolen government emails and documents. In doing so, it spun its narrative by using social media to execute a massive misinformation campaign designed to turn the Ukraine public against their government and its allies. The attack itself used a zero-day exploit to compromise and bypass a firewall manufactured by a major U.S. security vendor. These are only a few of the examples that have led researchers to speculate that CyberBerkut was a fake persona for a Russian-backed nation-state attacker.6
After the election attack, CyberBerkut posted a message on its website claiming that it had destroyed Ukraine’s Central Election Commission’s electronic systems.7 The message in Figure 4-2 appeared shortly before the presidential election and prior to any acknowledgment on the part of Ukraine that a compromise had taken place.
Following the attack, Ukraine’s Security Service, SBU, announced that it had identified and mitigated a virus in the Central Election Committee servers. The announcement claimed the virus had intentionally lain dormant until election day to elude detection. However, contradicting reports soon appeared, including a statement from Volodymyr Zverev, head of the State Service for Special Communication and Information Security, stating the “virus released by CyberBerkut destroyed all the internal data of the CEC servers.”8 Interior Minister Arsen Avakov also confirmed the destruction of that internal data. Simultaneously, during the election’s compromise, attackers took down the Interior Minister’s website with a denial-of-service attack. Avakov claimed that attackers had posted the message from his account, masquerading as the Interior Minister to spread misinformation about the election.9 CyberBerkut responded that the Interior Minister’s compromise never actually occurred and that Avakov had posted the messages himself.
Unfortunately, CyberBerkut would reappear in future attempts to disrupt elections. The group conducted propaganda campaigns in the 2016 U.S. election, eventually helping researchers and security vendors connect the dots, leading them to the conclusion that CyberBerkut was in fact a Russian intelligence agency.10
The Ukraine election attacks tell us a lot about Russian intelligence, as well as their playbook for election interference operations. If analysts had subsequently designed a defensive model based on the events that took place, election officials may have been able to prepare for future attacks. This certainly would have helped mitigate the damages present in the aftermath of the 2016 Democratic National Committee attacks discussed later in this chapter, as well as in other U.S. election interference attempts.
The following model, then, can act as such a reference point, allowing security officials to predict and mitigate future attacks conducted by the same nation-state. This model highlights elements of the 2014 attacks that Russia would use in election interference and hacking operations for years to come. This operational model can be seen applied against several presidential elections targeting nations discussed in this chapter.
Russian-based attackers created a fictitious hacktivist group named CyberBerkut. The personas claimed they were Ukraine-based, pro-Russian individuals fighting for the Ukrainian people’s rights. CyberBerkut also claimed to support the fourth Ukrainian President, Viktor Yanukovych. The group’s name, CyberBerkut (or KiberBerkut in Ukrainian), references Berkut, the name of a special police force within the Ukrainian Ministry of Internal Affairs. Berkut employed aggressive tactics against anyone who threatened Yanukovych’s presidency. It eventually disbanded in February 2014, just one month before the emergence of CyberBerkut.
From these events, we can assume Russia wanted to create a believable persona. This also shows an aspect of premeditation in the attacks. By comparison, both Iran and North Korea have used fake personas in their operations, but those personas had no backstory to support their validity. Because of this, researchers and security vendors have dismissed these personas and attributed attacks to governments. On the other hand, CyberBerkut remained operational, conducting attacks until 2018, four years after its emergence.
Russia heavily used social media in conjunction with the CyberBerkut persona. Other nation-states have certainly done so, too, but social media did not feature as prominently in these campaigns as it did in the 2014 election operation. CyberBerkut used social media to post messages and stolen data, ensuring that the group could reach as many people as possible within the targeted demographic. Troll farms amplified the messaging by posting or reposting propaganda-driven messages in high volume to ensure the content reached as many citizens as possible. A troll farm is a group of individuals, often paid, who push specific messaging via social media and fake news sites.
A less subtle tactic used by CyberBerkut is to deface the websites of organizations that oppose the Russian government. The victims are often news and media outlets that have a high volume of traffic traversing their websites. The attacker exploits the site, usually taking advantage of vulnerable, unpatched, and public-facing infrastructure, and alters the contents of the page to display pro-Russian messages. Doing so accomplishes two things. First, it spreads CyberBerkut’s message while publicly embarrassing the victim organizations who failed to prevent the hack. Second, hacktivists, not nation-state attackers, typically use the tactic of defacing websites. This allows the attacker to continue their guise as pro-Russian Ukrainian citizens joining together to fight what they consider unjust treatment of the Ukrainian people. In reality, the website defacements conducted by CyberBerkut were just one part of a much bigger propaganda campaign.
CyberBerkut conducted many denial-of-service attacks against political, government, and media organizations. The group has taken credit for more than 100 such engagements, many focused on taking down mainstream websites. After each of these, media attention directed at CyberBerkut grew. In turn, readers increasingly searched the web to learn more about the group. This increased visits to the group’s web page and social media posts.
Furthermore, the group encouraged pro-Russian supporters to download malicious software onto their systems. This software would then allow CyberBerkut to leverage the resources of the supporters’ computers in denial-of-service attacks. To spread its message and advertise to its followers, CyberBerkut posted links to download the software on both social media and its website. When accessed, the link downloaded a modified version of the denial-of-service tool Slowloris. For context, a U.S. security researcher by the name of Rsnake created Slowloris and released it at Defcon 17 in 2011.11 Outside of its use in these attacks, though, Slowloris has no affiliation with CyberBerkut. This modified version of Slowloris began the attack by establishing a connection with a target website. Unlike legitimate web connections, here the tool holds the port in an open state by continuously sending partial HTTP requests. Doing so repeatedly establishes connections until the target server can no longer accept new requests. Once all connections are in an open state, legitimate users cannot access resources, creating the denial of service. CyberBerkut likely chose this tool since it has little overhead and can efficiently target small to midsize web servers from a single host. This allowed CyberBerkut to conduct DDoS attacks against targets of its choice.
In addition to its denial-of-service attacks, CyberBerkut conducted hacking operations against targets with the intention of compromising and stealing data. For example, CyberBerkut compromised a Ukrainian nongovernmental organization (NGO) and stole email correspondences between the NGO and members of the military, as well as to diplomats at the U.S. embassy in Ukraine.
CyberBerkut altered much of the data it obtained. For example, when CyberBerkut stole the communications between the NGO and the U.S. embassy, it used social media to drive viewers to its website and then altered legitimate data to make it fit their messaging. Since the actual email data and CyberBerkut’s alterations both appeared together as part of a single entry, the content seemed legitimate.
The method in which CyberBerkut breached the Ukrainian Central Election Committee network servers has not been made public. CyberBerkut did successfully breach the network, and it placed malware onto critical election servers that were responsible for counting votes. Additionally, the malware injected false data into the servers, as described earlier. In conjunction with denial-of-service and propaganda campaigns, this chaos very nearly changed the national election outcome.
On March 19, 2016, Hillary Clinton’s campaign manager, John Podesta, read an email from what appeared to be a Gmail administrator. According to the email, someone with a Ukraine-based IP address had attempted to log in to his account. The email, shown in Figure 4-3, claimed that Gmail had identified an odd locality used in the login attempt. As a precaution, it had blocked access to Podesta’s account. Podesta needed to click the included link to change his password for his own protection.
Wisely, Podesta instead reached out to IT staff for assistance. His staff reviewed the email and responded with the message shown in Figure 4-4.
In deeming the email legitimate, Podesta’s staff had made a big mistake. Unfortunately, they had not identified the email as originating from a fraudulent address. Yes, the address shown in the email body displayed a legitimate Gmail administrator account, [email protected]. This, however, was a trick. The technique used here is referred to as spoofing, and it allows the sender to choose to display a fraudulent email address to the recipient. We will discuss email address spoofing in greater detail in Chapter 6. For now, know that you should never trust an email based on the sender address shown in the email body.
The next clue that something was amiss was the use of a URL shortener in the email (the bit.ly link). A URL shortener allows you to take a long URL that may not be easy to type and map it to a shortened and easier-to-use address. Gmail always uses Gmail infrastructure for password reset functions, though, not a separate third-party URL shortener, which lets attackers like these ones hide the real URL in the link. Podesta’s IT staff knew enough to correct the password reset URL, and as such, they provided Podesta with the legitimate myaccount.google.com/security link in their response to his inquiry. Unfortunately, if they knew the email was malicious, they did not inform Podesta of it. Podesta took the advice to reset his password, but he did so by clicking the link in the original email. This resulted in his account’s compromise. Over the next year, the attacker would use Podesta’s account to increase their access, steal data, and spy on email communications associated with the U.S. Democratic Party. Figure 4-5 is a timeline displaying the hacking events associated with the Democratic campaign over the course of 2016.
It is not unusual for candidates and staff members to leak private campaign correspondences months and years after a campaign has finished. The Democratic Congressional Campaign Committee (DCCC)/Democratic National Committee (DNC) attack’s significance is that the Russian-based hackers compromised and released public emails from U.S. politicians and their staff during the final stages of the campaign. This timing amplified their impact, as these emails were never intended for public exposure. The orchestrators of the attacks likely believed that by interfering with the information Americans received about the 2016 elections, they could influence their opinions and votes. And it is entirely possible that their release directly impacted the election results.
In July 2018, the U.S. government announced Department of Justice indictments against 12 Russian military officers allegedly involved in the espionage-motivated hacking of targeted individuals and systems in an effort to obtain information that could influence the U.S. election.14 Russian hackers had breached the DCCC and DNC cyber infrastructure to steal sensitive information as part of this operation. Two separate Russian military intelligence units allegedly conducted these operations; the Department of Justice indictment attributed this complex, multiobjective attack to the operators assigned to Unit 26165 and Unit 74455, both of which are part of Glavnoje Razvedyvatel’noje Upravlenije (GRU), the Russian military’s main intelligence directorate. In the private industry, cyber defenders and researchers track these groups under various names, such as APT28, Fancy Bear, Sednit, and Swallowtail.15
The cyber campaigns were severe enough that in October 2016, two years before the indictment, the U.S. Intelligence Community Office of the Director of National Intelligence and the Department of Homeland Security publicly stated that the Russian government had conducted cyber operations with the intent to interfere in the U.S. elections:16
The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. . . . These thefts and disclosures are intended to interfere with the US election process.
Although it has happened with increased frequency over the past few years, historically the U.S. government rarely accuses another government of hacking. Such an accusation inevitably draws attention to the capabilities of U.S. intelligence. Additionally, it draws attention to the accused parties and their operations, causing political tensions. When a government makes official attribution statements, the record usually does not include the proof or evidence needed to substantiate the claim. In other words, the attack has to be extremely serious for the U.S. government to go on record and point the finger at another nation-state, as there is a lot to lose if they are wrong.
In addition to the indictments for covert and fraudulent system access, U.S. prosecutors accused Russia of using social media and fake news campaigns to influence the public’s opinion of presidential candidates and subjects. During the attacks, Russia had executed a deflection campaign to draw accusers’ attentions elsewhere. This may have been the most effective use of information warfare, disinformation, and deflection seen in a cyber campaign to date.
Following the attack, the U.S. Democratic party invited the cybersecurity company CrowdStrike to investigate the breach. In June 2016, several months before the U.S. government’s own attribution, CrowdStrike publicly attributed the election interference to Russia, setting off a series of events. First, someone created the website dcleaks.com, which began to release thousands of stolen Democratic party emails obtained through the previous breaches (Figure 4-6). The DC Leaks website also provided the capability to search, view, and download the stolen Democratic emails and associated data files.17 Clearly, whoever had created DC Leaks wanted to make sure Americans could access and analyze the data—the most damaging of which consisted of the data stolen from John Podesta and his aides.
These emails contained sensitive information like political plans for how to face off against Donald Trump, the opposing Republican candidate, and for steering voters toward the Democrats’ camp. Some of the released emails didn’t reflect well on the Democratic party. This naturally caused a media storm that brought unwanted attention to some of the exposed political tactics.
The timing of the website, and of the release of the stolen emails, was suspicious: it seemed strangely coincidental that DC Leaks began only days after CrowdStrike publicly attributed Russia’s advances.19 And one day after CrowdStrike’s attribution, a hacker who identified themselves under the moniker Guccifer 2.0 appeared on social media, claiming to be behind the DNC attack. Guccifer 2.0 created a web page on WordPress, taking credit for the attack, and provided stolen data to prove their claims (Figure 4-7).
Shortly after creating the website, Guccifer 2.0 posted the following message:
Worldwide known cybersecurity company CrowdStrike announced that the Democratic National Committee (DNC) servers had been hacked by “sophisticated” hacker groups. I’m very pleased the company appreciated my skills so highly))) But in fact, it was easy, very easy. Guccifer may have been the first one who penetrated Hillary Clinton’s and other Democrats’ mail servers. But he certainly wasn’t the last. No wonder any other hacker could easily get access to the DNC’s servers. Shame on CrowdStrike: Do you think I’ve been in the DNC’s networks for almost a year and saved only 2 documents? Do you really believe it?21
Using social media to provide stolen documents as evidence made it difficult to invalidate CrowdStrike’s attribution. Guccifer 2.0 likely knew CrowdStrike couldn’t post data publicly to prove its attribution claims; the organization would need the DCCC/DNC’s permission to release supporting evidence, since the group did not own the data itself. This put CrowdStrike in a precarious situation, since Guccifer 2.0 could post and say anything they wanted. More importantly, if Guccifer 2.0 was not behind the hack, how did they obtain the stolen data?
There were two explanations. The first was that Guccifer 2.0 was affiliated with Russian intelligence, which supported CrowdStrike’s theory that Russia was behind the attack. The second was that CrowdStrike actually got this wrong, and Guccifer 2.0 really was a Romanian (something they had claimed)22 trying to attack the Democratic process. As details of the investigation emerged, the case only grew more confusing. Soon after the public release, federal law enforcement, researchers, and investigators analyzed the stolen documents Guccifer 2.0 had posted. Document metadata confirmed their authenticity. The metadata also showed that they originated from DNC servers located on the East Coast of the United States, meaning Guccifer 2.0 hadn’t taken them from some other source. They had effectively provided evidence of their access to legitimate DNC servers.
Spear-phishing emails had led to the compromise of John Podesta’s email credentials. Oddly, Guccifer 2.0 made no mention of this when Motherboard—an online publication—asked, in an interview, how they had attacked the DNC. Instead, Guccifer 2.0 explained how they accessed the DNC data: “I hacked that server through the NGP VAN [software].”23 NGP VAN is a technology provider that makes software for political and fundraising platforms. In an attempt to provide validity to their claim, Guccifer 2.0 provided stolen documents to the media organization Forbes that included details of the internal IT infrastructure of the DNC. Some of these details included specific information on NGP VAN’s deployment. However, they did not provide details on how they exploited the platform, either.
The only issue with Guccifer 2.0’s claim is that neither CrowdStrike nor anyone else has found any evidence in support of it. No evidence validates that the NGP VAN software present in the DNC environment was tampered with or altered. Additionally, if Guccifer 2.0 exploited a vulnerability in the software during the timeframe they claimed, no one has ever discovered it. Yet Guccifer 2.0 had no problem providing stolen data to validate their initial claim; therefore, if the NGP VAN exploit were true, why would they withhold proof of it now?
However, Guccifer 2.0 made a mistake. During the online interview with Motherboard, Guccifer 2.0 claimed Russia had nothing to do with the attacks, that they alone did all of the work. But at some point Motherboard questioned Guccifer 2.0 in Romanian: their native language. In that moment, Guccifer 2.0 began to hesitate, taking much longer to respond. Motherboard asked Guccifer 2.0 if they had thought about using Google Translate, not so subtly implying that they did not know Romanian. Guccifer 2.0 did eventually respond, but they had trouble writing clearly in Romanian and produced several other linguistic inconsistencies. This was a huge operational mistake. It was a human mistake, and a huge strike against Guccifer 2.0’s credibility. Eventually, Guccifer 2.0 became frustrated and stopped responding to questions. Naturally, this ended the interview. Guccifer 2.0 should never have agreed to give the Motherboard interview in real time. If they had asked for the questions over email, they could have taken the time to respond with polished answers.
Guccifer 2.0 made other mistakes. Remember, their online existence did not begin until just after CrowdStrike made the public attribution linking Russia to the election interference. You never begin your persona’s life on the same day you intend to use it. Doing so makes it easy to spot as a fake. Real people—that is, individuals who do not present a false façade through the use of a persona—create their social media accounts and then, over time, intrinsically build a history and reputation through use. Creating a strong fake persona requires the same amount of effort, a wealth of time, and intelligent planning. Clearly, Guccifer 2.0’s creation mere hours before its first use begs a question: Was this a last-minute decision made without planning or coordination?
Guccifer 2.0’s third mistake was that a number of the released documents had timestamps indicating that someone saved them long after the actual timing of the theft. Quite simply, this suggests that the attacker altered and saved the documents after the fact. The timing of their actions means that the associated metadata is related solely to the attacker, not the legitimate data owner. The “save” timestamp read “2016-06-15:05:42,” which is just before Guccifer 2.0 released the stolen data and several months after the initial theft took place. Additionally, as you can see in Figure 4-8, the “Last Modified By” stamp shows Cyrillic characters that translate to “Felix Edmundovich Dzerzhinsky.”
Researching the name revealed that Dzerzhinsky25 was the director of the Russian State Political Directorate, Russia’s first intelligence service and secret police. The real Mr. Dzerzhinsky is deceased and couldn’t have saved the stolen Democratic document. Granted, it is plausible that a military officer working for Russia’s Main Intelligence Directorate, the GRU, would use this moniker as their alias. It is similarly plausible, then, that they accidentally saved (or, more likely, autosaved) the document while viewing it on their desktop before releasing it as part of their operation. Additionally, the Cyrillic font indicates that the computer used to save the document used the Russian language set.
The final and most serious mistake that Guccifer 2.0 made provided distinct evidence indicating that they truly were foreign intelligence officers. Whenever Guccifer 2.0 was online, they used a VPN service to provide a layer of anonymity. Using a VPN prevented investigators from tracing the activity to their true location. However, on at least one occasion, Guccifer 2.0 failed to activate the VPN client before logging on. As a result, they left their real, Moscow-based Internet Protocol address in the server logs of an American social media company (likely Twitter), and these logs likely ended up in the hands of the Department of Justice as evidence of the Russian connection.
The world has not heard from Guccifer 2.0 since the completion of the 2016 presidential election. Guccifer 2.0 simply disappeared; both their website and social media accounts lie dormant.
The 2017 French election, which faced off Emmanuel Macron and Marine Le Pen, highlights another example of alleged Russian interference in an election. Unlike the previously discussed efforts, the interference in the French election largely failed to have any impact. Yet this fact is precisely what makes this incident an interesting case study.
In early 2017, campaign staffers supporting French presidential candidate Emmanuel Macron received an email that appeared to originate from their head of press relations. The email included an attachment providing recommended talking points for conversations with the press. Unbeknownst to the email recipients, this was one of two rounds of spear-phishing attempts targeting Macron’s campaign. The email did not actually originate from the Head of Press Relations but from an established Russian military hacker named Anatoliy Sergeyevich Kovalev. Kovalev is an officer working for Military Unit 74455, a part of Russia’s GRU intelligence agency (https://www.fbi.gov/wanted/cyber/anatoliy-sergeyevich-kovalev/).
The attacker had spoofed a number of email addresses and domains to mimic legitimate domains and organizations familiar to the targets. Table 4-1 shows the domains and registrant email address the attacker created for the Macron attacks.
Table 4-1: Attacker-Registered Infrastructure for Use in 2017 French Presidential Election
These domains were essential to the attribution of the Macron case. Several of them resided on the IP address 220.127.116.11; the U.S. Department of State had previously identified this IP address as belonging to infrastructure used in part of Russian GRU Unit 74455’s operations. Also, Unit 74455 frequently uses mail.com email addresses to register its domains and create accounts for phishing operations.
Between April and May 2017, before the election, attackers had initiated several phishing attacks against Macron staffers and collaborators. While the total number of infected targets is unknown, attackers compromised at least five of those deemed Macron’s “close collaborators,” including Macron’s campaign treasurer, speechwriter, and parliament members.26 This should sound familiar, as the French elections appeared to follow the same playbook shown in the 2016 U.S. election. Recall that members of Hillary Clinton’s campaign fell victim to spear-phishing attacks that the GRU allegedly conducted itself. Additionally, Kovalev, the Russian GRU hacker accused of executing the operation against Macron’s team, was named and identified in the United States’ 2018 indictment.
Let’s discuss how the rest of the attack took place. Like other election interference operations, the attacker leveraged propaganda, theft, and manipulation of internal campaign data and its public release in an attempt to spread misinformation.
First, using troll farms with fake accounts and online personas, the attacker attempted to sway public opinion to turn against Macron while supporting his opponent Marine Le Pen. Troll farms generated a large volume of misleading political messaging designed to influence public opinion. Next, bots, or automated social media accounts, promoted the messaging. The bots “liked” or reposted the troll-derived messages, exposing the message to as many people as possible. (These strategies took place in both the Ukraine and U.S. elections discussed earlier, as well.) For example, the information populated via “fake news” and social media messaging included statements that WikiLeaks founder Julian Assange was preparing to release information detailing Macron’s corruption before exposing the stolen email data. In addition to the troll farms, Russia’s RT and Sputnik International news agencies fabricated a significant amount of misinformation content. Together, their orchestrated attack reached millions of people all over the world. Research by Oxford University conducted after the election found that 25 percent of French election-based social media posts had originated from misinformation content.27
The data theft took place using the spear-phishing campaign already discussed. According to a U.S. federal indictment, Russian conspirators sent fraudulent emails to more than 100 individuals from Macron’s campaign. The emails spoofed legitimate organizations and topics such as “terrorist attacks, email account lockouts, software updates for voting machines, journalist scoops on political scandals, En Marche! press relationships, and En Marche! internal cybersecurity recommendations.”28 (En Marche! is the political movement, or “democratic revolution,” led by Macron and his campaign.)29 When the victim clicked the obfuscated link in the mail body, they would be directed to a fraudulent domain. They would then see a password reset page designed to mimic the legitimate website spoofed in the email. Attackers commonly use this technique, known as credential harvesting, to trick individuals from a targeted organization into giving up their usernames and passwords, which are collected and then used to further the attack. When the user submits their password to the fraudulent web page, the attacker captures their credentials and can use them to access the legitimate Macron-affiliated accounts and data. With this access, the attacker remotely logged in and copied data from the email server to their command-and-control infrastructure to use as they pleased.
France uses a two-round voting process to elect certain public officials, such as the president. On May 5, 2017, two days before the second and final round, the attacker publicly posted confidential emails from Macron’s campaign. Additionally, social media propaganda campaigns made the stolen data known and readily accessible to the public. The orchestrator of the attacks appeared to have timed the release to impact Macron’s campaign, hoping he would not have time to defend himself prior to the vote. For context, France enforces a media ban preventing the publication of election or poll results several days before the voting process. This made it nearly impossible for Macron to address the situation before him.30 With only hours left before the ban, Macron released a statement denying the allegations; however, this was all he could do until the election was over. If the public found the data in the leak viable, it could have cost him the election, which was the attacker’s goal. And although France’s electoral college ordered both the media and Macron not to report or comment on the stolen emails or their content, this did not stop the rest of the world—such as Russian news, trolls, and even French citizens themselves—from posting to social media and writing about the stolen data.
Whoever stole the data altered Macron’s content in a manner intended to make Macron appear corrupt. Some of the data released included images of two documents that showed Macron had secret bank accounts in the Cayman Islands and that he had previously purchased illegal drugs online.31 To make it seem legitimate, the attacker had mixed actual stolen data with data that the attacker themselves had created. The first clue that the data was fake came from the persona who publicly posted it. Macron’s documents first appeared on 4chan, an imageboard website, in a post from an unknown person using a Latvian IP address. However, many internet viewers commented on the post and questioned the documents’ validity, citing evidence of potential Photoshopping.
More substantial evidence soon came to light. Metadata surrounding the most incriminating documents showed that edits had taken place by an author named “Рошка Георгий Петрович” (Roshka Georgy Petrovich) on March 27 over the course of four minutes. The computer that saved the document used Cyrillic characters and identified the user as having a Russian name.32 However, this is such a careless mistake that it could be a red herring, intentionally placed there to misattribute the attack. After all, metadata gave away the Russian hackers behind Guccifer 2.0, so it is difficult to believe that it would happen twice.
Marine Le Pen—Macron’s opposition—may not have had anything to do with the Macron attacks, but she did still leverage the exposed data to her benefit. According to French media, Le Pen stated she admired Putin during a 2017 interview.33 Interestingly, Le Pen also visited Moscow and met with Putin in March 2017, prior to the election. During the meeting, Le Pen reiterated her support of lifting the European Union’s sanctions against Russia. Le Pen is the leader of France’s National Front, a far-right party that approved of Russia’s annexation of Crimea, which itself was the driving factor behind the European Union’s sanctions against Russia. Le Pen’s campaign also received $9 million in loans from a Russian bank after French banks denied her loans, citing she had an anti-Semitic past.34 Other media organizations such as the BBC claimed the loan was a favor in exchange for Le Pen’s support of Russia. However, Le Pen denies the allegations.
Of course, this relationship isn’t relevant to the election interference operations unless Russia is actually behind them. Prior to the release of this information, Macron publicly accused Russia of attempting to hack his staff and operations. The claim eventually received international support, when in October 2020 the U.S. Department of Justice released a detailed indictment documenting the GRU’s direct operation to disrupt the 2017 French elections. Yet compared to the other election interference attacks we’ve discussed thus far, the attacks against Macron had little effect on the election’s outcome or public opinion. This could be due to France’s rules banning discussions surrounding the vote or leaked documents. Macron also claimed to have fed the attackers false data—although attackers did still compromise his legitimate data, making it hard to call this a successful deterrent. Regardless of the reason, Macron won the election; since his victory, he has taken a hard stance against Putin’s administration.
Technology allows politicians to spread their campaign messages further and more quickly than ever before. Social media, campaign videos, podcasts, and even debates can reach voters in their homes, cars, and workplaces. Unfortunately, nation-state attackers themselves also leverage this technology, and the access it provides, to influence these same voters.
As private citizens, we often don’t know about the direct evidence used to attribute nation-state attacks. However, the U.S. indictments against Russian GRU officers accused of interfering in all of the attacks discussed thus far provide the public with details rarely observed. Each instance followed the same playbook. Starting with Ukraine, in 2014, we observed the attacker using fake personas to spread disinformation on social media. We saw attackers hack, steal, and manipulate data to suit their needs and then post it publicly to mislead voters.
In addition to the attacks detailed in this chapter, Russia allegedly conducted an election interference operation against German Chancellor Angela Merkel during the 2015 election. The attack followed the same election interference model discussed throughout this chapter, and like other nations, Germany issued arrest warrants against Russian GRU military intelligence officers. Due to these strong similarities, I did not include a comprehensive overview of the attacks against Germany. However, since 2014, I have seen the same tactics applied across many elections globally.
It is difficult to determine the level of success of the election meddling. However, it’s certainly fair to say that the interference, and in particular the leaks and the efforts to spread misinformation, influenced public opinion. Posting legitimate but altered data from candidates’ parties caused mass confusion. Citizens didn’t know what was real, what was fake, or even who to believe. Opposing politicians used the information against their opponent regardless of its validity, and the media spread and discussed it openly. All of this made for mass confusion. Incidentally, that same confusion is likely a vital objective of the attacking nation.
The 2017 French election showed the least amount of damage. It’s difficult to say whether this is due to how France handled the fallout by managing misinformation spread. Even if it were, the attacker successfully accomplished each phase of the attack, from hacking to posting the data, so we can’t really say this attack is no longer viable given France’s techniques. Furthermore, since the attacker has attempted this operation in every major election since 2014, this interference will likely continue.
This means that political parties need to take security more seriously to protect against nation-state attackers. For example, the campaigns discussed here lacked security measures commonly used today. Spear-phishing emails provided the initial compromise in all the breaches that led to the attacker’s access. Ironically, something as simple as dual-factor authentication would have prevented the attacker from logging in to the victim’s account, even with stolen legitimate credentials. Unfortunately, none of the compromised political campaigns used two-factor authentication. Of course, this is just one example of a defense; regardless of the specific measures used, political parties must pursue preventative means, even if it makes day-to-day operations slightly more difficult.