Hackers breached the En Marche! campaign and published documents both fake and legitimate online before the French election.
Hackers breached the En Marche! campaign and published documents both fake and legitimate online before the French election.

Efforts to disrupt the French presidential election by releasing documents from Emmanuel Macron's En Marche! campaign Friday, shortly before a mandatory media blackout, were rebuffed in part by “cyber deception,” but while Macron persevered, handily winning Sunday's election, the hack raises concerns over the security and integrity of elections around the world going forward.

The cyberattack used to steal the documents likely “was a spearphishing attack, where it probably had an attachment with malware not detected by any of the APT systems - that was used to take control over the campaign employee's computer,” Aleksandr Yampolskiy, Co-founder and CEO of SecurityScorecard, told SC Media. “We've seen indications of this - since hackers registered "typosquats" (similar sounding domains) to the campaign: like onedrive-en-marche.frmail-en-marche.fr.”

But those efforts didn't have the same yield as Russian attacks on the Democratic National Committee (DNC) and other Democrat-affiliated persons and organizations – and subsequent publication of emails damaging to former Secretary of State Hillary Clinton during her presidential run.

“The timing helped, but also there were clear indications the Macron campaign was proactive vs. reactive. We need to shift the cost from a defender to an attacker: the defender needs to protect 100 doors, while the attacker needs only 1 door to be unlocked,” said Yampolskiy. “The Macron campaign was clever around what they did. The head of Macron's digital team, Mounir Mahjoubi went on record to describe that they used a 'deception technology'technique - which creates decoy fake documents, websites etc. - so that it's hard for an attacker to determine which one is real - that's very clever.”

Gadi Evron, founder of Cymmetria, in a Monday blog post praised the campaign's response and its own use of deception and disinformation. 

“On the one hand, it seems Macron learned from Hillary Clinton's experience and took charge of the press immediately,” he wrote. “On the other hand, and much more interestingly, the Macron team reportedly seeded the attackers' attempts with fake data. Apparently, this not only slowed down the attackers, but also may have created a situation in which readers doubted the authenticity of every published piece of data.”

Evron noted that deception and disinformation are tried and true tools that can make security more proactive. “Their use enables organizations to control the opponent, be dynamic (rather than just construct static defenses for them to bypass), and specifically to assure that they can detect attackers and data breaches much faster,” he said. “Deception stops lateral movement by increasing the attackers' costs exponentially, regardless of zero-day vulnerabilities, and allows you to investigate events and alerts in real time – knowing which alert is real and which is a false positive.”

Yampolskiy said that while En Marche! and the DNC had different outcomes, they “have similar security profiles” - no glaring vulnerabilities but indications that they have good vs. great security: a) misconfigurations in SSL certificates used to protect them - e.g. expired certificates, or weak signatures; b) misconfigured DNS settings - like SPF to prevent phishing; c) existence of typosquats in both cases - where similar sounding domains were registered to infringe.”

And though En Marche! mitigated damage from the hack by getting out in front of it, the security implications for elections shouldn't be ignored. “I am not sure yet of the long-term implications - but I think these attacks on elections raise the importance of cybersecurity to everybody in the world - and will lead to ‘better security and awareness of the risks,'” said Yampolskiy.

In the future, “campaigns will need to implement stronger defenses, and less use of mail,” said Dimitri Sirota, CEO and co-founder of BigID, who noted that early assumptions seem to implicate Russian operatives in the Macron hack.

“Election campaigns will have to be more proactive by: a) training its employees on security; b) making sure any sensitive encryption documents are encrypted in rest; c) proactive exercises + playbooks ahead of time to imitate attacks,” added Yampolskiy.  “But I think that hacks on elections are here to stay.”

The CEO is not sure that Russia is behind the hack. “I am yet to see verifiable objective evidence that's provided to the public for examination,” he said. “Attribution is very hard - it's very easy to spoof an attack (aka if you found a broken door to your house and a business card Alex Yampolskiy lying on the floor, it doesn't mean it was me. It just means somebody broke in and left my business card that they may have gotten at a conference).”

But in late April Trend Micro researchers said Fancy Bear, also known as Pawn Storm, targeted Macron's presidential campaign in France. And Macron himself had blamed Russia for hacking his campaign in an attempt to swing the French election by spreading misleading information about him via Kremlin-backed news media reports.