DNC Hackers Targeted French Presidential Candidate Macron: Researchers

By Joe Uchill, The Hill

25 April 17

he hackers behind the Democratic National Committee (DNC) email breach appear to have made similar attacks against Emmanuel Macron, a French candidate for president, as well as groups associated with German political parties, according to a new report.

The security firm Trend Micro reports that the hacking group known as Fancy Bear, APT 28 and Pawn Storm attacked the French and German targets using similar phishing schemes to the one that caught the DNC. U.S. intelligence, as well as the bulk of experts, believe Fancy Bear is a Russian espionage operation.

“Pawn Storm has been making these types of attacks for a long time – we wrote our first report about them in 2014,” said Ed Cabrera, chief cybersecurity officer at Trend Micro.

Trend Micro believes the attackers contacted the Macron campaign using the domain “onedrive-en-marche.fr”. En Marche!, or “Forward!”, is a nickname of Macron’s political party, Association pour le renouvellement de la vie politique. The domain would therefore appears to be the En Marche! account for Microsoft’s file-hosting service, OneDrive.

In the DNC case, the hackers used the domain “actblues.com,” which was meant to be confused with the Democratic fundraising site ActBlue.

Macron, a centrist, is facing right-wing nationalist Marine Le Pen in a contentious French presidential race already compared to the U.S. race of 2016. Le Pen, a pro-Donald Trump, anti-NATO candidate who has backed Russia’s annexation of the Crimea, met with Russian President Vladimir Putin last month during a trip to Moscow.

The Macron attack is one of three new attacks outlined in the report, released early Tuesday. Fancy Bear, reports Trend Micro, also attacked the German political group Konrad Adenauer Stiftung, associated with Angela Merkel’s political party the Christian Democratic Union, and Friedrich Ebert Stiftung, associated with the Social Democratic Party. Like France, Germany has Federal elections in 2017.

Fancy Bear is known to use phishing attacks as an entry point for sophisticated malware exclusive to the group, known as X-Agent. It is one of a few ways the group can be tracked -- Fancy Bear routs attacks through servers around the world that the organization reuses.

According to the Trend Micro report, those servers have stayed active over the past three years an average of six months apiece with ten lasting for more than a year. That is a long lifespan for these types of servers, which Trend Micro believes is emblematic of a unique characteristic of Fancy Bear: It does not mind being caught.

“Most espionage groups have tradecraft to stay low and slow, and remain in a system as long as possible. This group is loud and fast,“ Cabrera said.

Trend Micro has tracked an increase in the number of command and control servers being used by Fancy Bear. In late 2013, there were only five second-stage servers, which typically connect to the victim’s computer. That number exploded in early 2016, when it first crossed 15. In October, there were 26. Trend Micro believes this means the group has ramped up operations.

“Normal cybercriminals often don’t like media attention and even suspend their activities temporarily when their actions are discovered and written about,” concludes the report. "Pawn Storm doesn’t slow down at all. On the contrary: a lot has been written about Pawn Storm since fall of 2014, and their activities have only grown, both in aggressiveness and number.”