It used to be that I could only look up to Russia (whether I agree with them or not) for conducting advanced information operations in the cyber world. Now, I can look up to Emmanuel Macron and the anonymous security professionals behind him. Finally, someone uses cyber deception to beat attackers at their own game. I am not alone, and Cymmetria’s ideas have been vindicated yet again.

Let’s quickly go over what happened, and then analyze the operation and why it is so…well, cool. Regardless of what actually happened, one of the major lessons of cyber security, as learned in Estonia a decade ago and endless times since, is that what people perceive matters as much if not more so than what the technical details of any attack may have actually been. The motivation for the attack can be political or otherwise, but it must be analyzed in context.

What supposedly happened

Just before the French elections, the long anticipated news hit. Emmanuel Macron, candidate for president of France, suffered a data breach and the data was dumped for the public to download. According to The Daily Beast: “In the last hours before midnight on Friday, just before a campaigning blackout imposed by French electoral law in anticipation of the crucial vote on Sunday, somebody dumped nine gigabytes of emails and documents supposedly purloined from the campaign of leading presidential candidate Emmanuel Macron.”

Macron learned the lessons of the Hillary Clinton campaign leaks, and immediately took control of the messaging and PR. Literally at the 11th hour, before the electoral press blackout could silence it, the Macron campaign issued a statement saying it had been hacked and many of the documents that were dumped on the American 4Chan site and re-posted by WikiLeaks were fakes.

Calling the documents into question

WikiLeaks in their own statement doubted Macron’s ability to pore over the documents so fast, but it didn’t matter. Macron’s counter-narrative controlled the short news cycle. Macron cast doubt on the reports and showed leadership, actually providing reporters data which they could use to write their stories. That by itself is a lesson for the future.

If all Macron did was throw doubt on the validity of the leaks, that’s already a powerful win. WikiLeaks themselves cast a doubt on the source: “#MacronLeaks assessment update: several Office files have Cyrillic metadata. Unclear if by design, incompetence, or Slavic employee.”

There were few such marked documents, and all were from a limited time period. Regardless,  they served to assist Macron in his PR crisis response.

The effectiveness of a few lonely fake documents

Marine Le Pen’s supporters started to make PR use of “all these damning emails,” although many of them looked like bots using Google-translated messages. Some of the documents in the data dump were obvious fakes, and started popping up over French social media.

Creating fake documents that look real is hard. This case shows us we don’t necessarily need to. Effectively, the next time a threat actor attempts this, they may have to sift through all the data first. Cyber deception increases the cost of the attacker, shifting the economics of cyber security and thus changing the asymmetry between attacker and defender.

Taking active measures

This analysis however misses a critical aspect of what might have happened: a false flag operation by Macron or one of his sympathizers. This is where it gets really interesting.

Ah, but there’s the rub. As reported by The Daily Beast, part of the Macron campaign strategy against Fancy Bear (also known as Pawn Storm and Apt28) was to sign on to the phishing pages and plant bogus information. Mounir Mahjoubi, the head of Macron’s digital team, told The Daily Beast: “You can flood these [phishing] addresses with multiple passwords & log-ins, true ones, false ones, so the people behind them use up a lot of time trying to figure them out.”

So Macron’s people, and specifically Mounir Mahjoubi, who I want to make sure I meet one day, claim to have fed APT28 false data in a “counteroffensive.” Maybe they have’ maybe they haven’t. Regardless, their PR win as shown above — planned or not — with or without cyber, was in the bag.

Assuming that there was an attack, and that this was actually APT28, and then that this comment by Mr. Mahjoubi (or who knows who) didn’t plant a false flag by himself to make Macron’s PR look more authentic by blaming the now infamous Fancy Bear, then we can see that Macron prepared for this in advance, studied the adversary attacking his systems, and proceeded to feed it the fake documents. The comment about phishing is a bit odd, technically. I’d have expected them to feed the exfiltration itself, or run the phishing emails on computers they prepared. But hey, it’s a mainstream news article so let’s give them the benefit of the doubt — for now. We can’t expect technical accuracy.

Some further technical information can be found in the article quoted below, which sheds more light on what was done. The techniques outlined are similar to what some banks use to counter regular phishing attacks (as opposed to spearphishing), seeding the phishing sites with fake credentials that they could monitor for access.

The Macron campaign, like Clinton’s, was frequently targeted by phishing attacks that would send emails with links to copies of credible-looking log-in screens with subtle differences in the web addresses like using dots rather than hyphens, etc. “If you speed read the URL, you can’t make the distinction,” said Mahjoubi. Mahjoubi described the fake sign-in page as “pixel perfect,” and how once a user signed in, the hackers would then have access to all of the user’s emails. “Every week we send to the team screen-captures of all the phishing addresses we have found during the week.”

But the real genius was in how Mahjoubi’s team used the hacker’s techniques against them. “You can flood these addresses with multiple passwords and log-ins, true ones [and] false ones, so the people behind them use up a lot of time trying to figure them out.”

This tells us one thing clearly, even though we do not fully understand what the team has done to feed APT28 & Fancy Bear disinformation: Macron’s team attempted to slow them down by feeding them fake credentials. This could potentially also tip the defenders’ hand, depending on their strategic goal. Do you deny the attacker’s data? Do you disrupt their ability to conduct operations? Do you degrade the data’s trustworthiness?

Taking the disinformation activity into account, one thing WikiLeaks misses is that if Macron’s people seeded APT28’s exfiltration with their own documents, that could mean they also planted false flags with Cyrillic, and that this wasn’t just an OPSEC failure on the supposed Russian threat actor’s part. Regardless, the obvious fakes in the data dump were enough to achieve the strategic goal of reducing the data dump’s success.