Europe

Why Macron's Campaign Hasn't Been Hacked

Either he has nothing to hide or he's just better at keeping secrets away from prying eyes.

Nothing to hide.

Photographer: Christophe Morin/Bloomberg via Getty Images Restrictions

One of the allegedly Russian-linked groups that hacked the U.S. Democratic National Committee has also reportedly tried to hack the campaign of Emmanuel Macron, the front-runner in the French presidential election. Maybe the predicted hacker coup is coming, but I doubt it. The fact that nothing has come of these attempts is an important lesson for politicians, bureaucrats and anyone fearing "Russian hackers." 

That Russian intelligence would be interested in Macron is self-evident. He's an unknown quantity, a wild card, unlike most of his rivals in the election who were long known -- and mostly friendly -- to Russia. If indeed Russian intelligence services are behind a hacker collective known to the cybersecurity industry as Advanced Persistent Threat 28, also accused of hacking the DNC, it stands to reason that the group would try to get to Macron's confidential files. The campaign and cybersecurity experts say it's been trying hard to do that.

It's likely that anything deemed remotely scandalous or compromising would have been published: Macron is Russia's least preferred candidate. Yet nothing has surfaced. Mounir Mahjoubi, Macron's digital campaign chief, says the organization hasn't been hacked. I doubt, however, that he can say that with any certainty.

In a recent report, cybersecurity firm Trend Micro, which pins the attempted Macron campaign hacks on the group, provided a trove of information on how the group's social engineering works. Anyone interested in how he or she can be fooled into granting hackers access to corporate email should read it. It's not always as simple as clicking on a spurious link in an email. Some of the methods used are so devious that almost anyone, including a savvy tech entrepreneur such as Mahjoubi himself, could easily fall for them.

According to Trend Micro, APT28 (referred to as "Pawn Storm" in the report, but often called "Fancy Bear" in the U.S.) does send out the usual spear-phishing emails with fake links to news stories or infected attachments. But it also uses more insidious and less well-known methods, for example a variant of a technique known as "tabnabbing"-- using a script surreptitiously to change the web address on an open tab while the user of a web browser is viewing other tabs. When the user comes back to her corporate webmail tag, she finds her connection had "timed out" and reenters her username and password, betraying them to the hackers. Trend Micro wrote:

This attack scenario is very simple and doesn’t require any exploit. Its success depends on good preparation by the attacker, but even experienced security researchers could fall for this social engineering trick, in particular when they are on the road and not paying attention to details.

It also uses an application it named Google Defender, housed on a legitimate Google domain; Gmail users are asked to install it to secure their accounts, and there are no signs -- such as spelling errors or unusual domain names -- of anything fishy going on. That wouldn't fool a techie -- they know that Google doesn't have such an app and that phishers are just trying to exploit a flaw of open authentication, the feature that lets users log onto various services using, for example, Facebook, Twitter or the Google ID. But users without much interest in Google's security practices could easily be fooled. 

Mahjoubi says he's ahead of the game: The campaign knows all about the fake domains, such as onedrive-en-marche.fr, set up by APT 28 to harvest credentials, and the team has been told to report all erroneous or questionable clicks on an attachment or a link, so all passwords can be reset immediately at the slightest sign of trouble. Being prepared and constant vigilance are useful. Trend Micro suggests a list of sensible precautions, such as using virtual private networks with physical keys, setting up two-factor authentication on corporate webmail and giving employees clean loaner computers to use at conferences and in other locations with open Wi-Fi networks.

But there's one life hack Mahjoubi knows about that trumps most other advice: "No ultra-confidential material is sent via email."

It's not quite as simple as that. APT28's social engineering methods allow hackers to get access to more than just the email accounts: They can steal information from anywhere on victims' computers. Ideally, no confidential information should be created or stored on internet-connected systems. It means setting up anachronistic paper-based processes that look ridiculous in 2017, especially for a young, progressive candidate such as Macron; but spies can only get into such systems using traditional methods, too, which puts them at a disadvantage.

Macron probably hasn't gone as far as to keep all sensitive documents off internet-exposed machines, but it appears that between the tech-related precautions and rules against sending around confidential files, his team has done enough to prevent damage. Even if the campaign has been penetrated, the intruders have found nothing of value -- otherwise they would have used the material against Macron before the election's first round, when the probability that he'd be knocked out was reasonably high.

The failure of the DNC to be equally vigilant last year has at least kept Europeans on their toes. No damaging leaks have affected the Dutch election campaign that ended in March or, so far, the German campaign that ends in September.

The ultimate defense, however, is to have nothing to hide. It's possible that that's the advantage Macron the novice has over more experienced rivals.

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

    To contact the author of this story:
    Leonid Bershidsky at lbershidsky@bloomberg.net

    To contact the editor responsible for this story:
    Therese Raphael at traphael4@bloomberg.net

    Before it's here, it's on the Bloomberg Terminal.
    LEARN MORE
    Comments