Macron Hack Attack, Clumsy and Ignored, Is Met With Gallic Shrug

  • Same invaders hit Merkel’s CDU and a foundation, group says
  • Hate tweets in English fail to impress French voters

Who's Winning the Battle in Digital Warfare?

Emmanuel Macron seemed like the latest high-profile victim of political cyber warfare Friday when a vast trove of documents from his presidential campaign was dumped online less than 48 hours before polls opened. It spread rapidly on social media.

In fact, France’s president-elect got off easy.

Emmanuel Macron on May 7.

Photographer: Christophe Morin/Bloomberg

The attack was clumsy, mixing obviously faked documents with seemingly innocuous genuine material, such as supplier invoices and staff members’ chats about dinner plans. What’s more, reports of the hack were largely invisible to French voters, as mainstream news media enforced a government ban on campaign coverage from midnight Friday until polls closed Sunday night. Most of the early social-media activity emanated from English-speaking users.

“This is the boldest attack we’ve seen, but the job was pretty rushed,” said Vitali Kremez, research director at New York City cyber security firm Flashpoint. The Macron hackers employed the same techniques used last year against Democratic Party organizations in the U.S. -- suggesting, Kremez said, that Russian intelligence services linked to the U.S. intrusions had orchestrated the Macron hit as well. 

The leaks may also foreshadow similar trouble for German Chancellor Angela Merkel’s re-election bid in September, which German intelligence officials are already concerned about. The same cyber warriors who struck Macron carried out a similar hit on Merkel’s CDU party last year, according to cyber security consultant Trend Micro, which said they also hit the CDU’s Konrad Adenauer Stiftung research institute in early April. 

No data from either of those attacks has been released, said Loic Guezo, a Paris-based strategist for Trend Micro. But once hackers have gotten inside, he said, “The wolf is in the sheep’s pen.”

Criminal Inquiry

France’s cyber security watchdog said it was investigating the Macron hack, and Agence France-Presse reported Sunday that prosecutors had launched a criminal inquiry.

While attackers took months to gather and release hacked material from U.S. Democratic Party targets, they “had to scramble” in the case of Macron, Kremez said. A political novice, Macron unexpectedly became the front-runner after center-right Republican Francois Fillon was engulfed in February by an ethics scandal.

Kremez said he found “lots of weird anomalies” in the dumped Macron files. Forensic analysis of some documents showed they had been created as long ago as 2012 -- four years before Macron announced his presidential bid -- and then modified in recent weeks. In several cases, documents appeared to have been modified by a Russian person whose name was written in Cyrillic, although Kremez said that could have been planted as a“false flag” to pin blame on Russia. Reports of Russian involvement are “slander,” said Kremlin spokesman Dmitry Peskov.

Trend Micro reported in late April that the Macron campaign had been hit by repeated cyber attacks over the preceding weeks. Campaign officials said at the time that they believed they had successfully blocked the attempted intrusions, which involved “phishing” emails intended to trick users into divulging their usernames and passwords.

Macron aides said in April that after learning of the attacks, they took counter-measures such as replying to phishing emails with a barrage of fake logins and passwords. That may have further complicated the hackers’ efforts, said Antonio Barroso, deputy research director at Teneo Intelligence in London. Even if potentially damaging documents turn up later, the fallout for Macron could be limited, Barroso said, “because the focus now is on where the leaks are coming from, and who is making this attempt to destabilize the country.”

The Macron dump became public on Friday, just four hours before the French news blackout was to begin at midnight, as WikiLeaks announced it had received a “significant leak” of information. “It is not economically feasible to fabricate the whole,” WikiLeaks said on its Twitter feed. “We are now checking parts.”

More on Cybersecurity: QuickTake

Nicolas Vanderbiest, a Belgian researcher who studies social media, said the first report on Twitter came from William Craddick of Disobedient Media, a U.S.-based right-wing news site. That was followed quickly by a tweet from Jack Posobiec, Washington correspondent for, a Canadian right-wing media group.

In France, Florian Philippot, a top adviser to rival candidate Marine Le Pen of the National Front, tweeted the news at 11:40 p.m. Paris time, Vanderbiest said in an interview Sunday on Belgian radio. One reason the hackers might have waited to release the information until shortly before the French news blackout was that “it creates confusion and uncertainty,” and could leave the impression that the information was being covered up, he said.

Data for Democracy, a non-profit U.S. group that studies the spread of disinformation online, said its analysis showed that most early Twitter activity on the data dump came from a handful of prolific users. “Five percent of users accounted for a full 40 percent of the tweets,” with one account tweeting 1,668 times in 24 hours, the group said in a report on Saturday. Such accounts appear to be operated by “automation rather than a highly active human,” the report said.

Reporting Banned

Mainstream French news media didn’t publish details of the WikiLeaks trove during the weekend news blackout. But the French website of Sputnik News, a Russian state-controlled news agency, published screenshots of several leaked items under the headline, “The mysterious #MacronLeaks that is shaking up Internet users,” as well as comments from Twitter users accusing the government of a coverup.

The leaked material includes emails lifted from a member of parliament allied with Macron’s camp that ranged from the sensitive to the mundane. Items included an exchange about handing over documents after falling out with a colleague, a list with chicken and fish filet prices and the phone numbers and emails of the parliamentarian’s many contacts. It wasn’t possible to confirm their veracity.

Some French Twitter users mocked English posters who shared French-language documents that they clearly didn’t understand. Posobiec, for example, posted a screenshot entitled “Possible evidence of Macron international money transfer” that actually was a record of campaign payroll expenditures for En Marche!, Macron’s party. “#MacronLeaks is teaching us that En Marche! sends emails to people, pays its staff, and sends money to suppliers. Crazy,” one amused French user tweeted.

— With assistance by Robert Williams

    Before it's here, it's on the Bloomberg Terminal. LEARN MORE