The Macron leak that wasn’t

So stark is the absence of interesting information that one could conclude that the Macronleak was a false flag operation designed to point the finger at Russia.

Now that the French presidential election is over, it is time to reflect on the strange cyber incident that roiled the campaign’s final weekend. 

The so-called “Macronleak” began on May 5 when a large amount of stolen data from the Macron campaign was posted on-line. The stolen data dropped just hours before a blackout deadline that prohibits campaigning and prevents French media from covering the election.  The bizarre result was to leave these rather large blocks of data hanging out in cyberspace, adding much tension if little clarity to Election Day.

So what precisely happened?  Was this the widely anticipated Russian effort to influence the French election?  Or was it something more mundane? 

We may never know. But if it was a Russian operation, it was arguably the most amateurish and poorly executed active measure the Russians have ever conducted.  It is more likely that some other actor tried to meddle in the French elections for some unknown purpose, perhaps even to implicate the Russians. Either way, French authorities will find it extremely difficult to trace the source and President Hollande will find it hard to make good on his promise that “nothing will go without a response.”   

Chronicle of a Hack Foretold

For several months, security researchers have been warning that cyber incidents mirroring the DNC hack could wreak havoc in any of the numerous European elections this year. But the Dutch elections went smoothly in March and the French Presidential elections had not seen any serious disturbances until May 5. Trend Micro, a computer security company, did issue a report in late April that showed that “Pawn Storm” (a hacker group also called APT28 and believed to be linked to Russian military intelligence) was targeting Macron’s En Marche movement. But beyond that, very little malicious activity was seen on the web in the context of the French elections.

When the Macronleak hit the internet, France’s presidential electoral authority (CNCCEP) swiftly reminded national media outlets not to report on the leaked documents, and warned French internet users that publishing any of the hacked documents could result in criminal prosecution. While Le Pen aides saw this as an effort to suppress potential scandals, others saw an important method of defense. Susan Hennessey of Brookings, a former attorney in the NSA’s Office of General Counsel, powerfully argued that “asking journalists not to participate in an assault on their democracy isn't equivalent to saying they should never report on hacked emails.”

But beyond the important issue of how to protect democracy, the contents of the leak were not particularly explosive. The “Macronleak” consisted of (a) four email archives, (b) one Google Drive or Dropbox archive, (c) one archive solely made up of campaign related excel spreadsheet files, as well as (d) internal documents on Gemplus, and (e) three files related to a bank transfer and an insurance policy Macron took out in his role as head of En Marche.

File archives

Compressed Size

Content

Alaintourretgmail.com_archive

776 MB

Gmail email archive

langannerch_archive

2.38 GB

Gmail email archive

quentin.lafay_archive

740 MB

Gmail email archive

Cedric.oen-marche.fr_archive

1001 MB

@en-marche.fr email archive

Box_pierrpersongmail.com_archive

1.95 GB

Google Drive or Dropbox archive

xls_cedric_archive

682 kB

22 Excel spreasheets

Macron_201705_archive

43.9 MB

Gemplus docs, Alliance contract

Pierrpersongmail.com.7z_archive

3.62 kB

Metadata

The email archives originated from the accounts of just 4 people, who are either part of the campaign or are Macron supporters:

Anne-Christine Lang

Gmail account

Member of Parliament, SRC – Paris

Alain Tourret

Gmail account

Member of Parliament, PRG – Calvados

Quentin Lafay

Gmail account

Macron's speech writer and advisor

Cedric O

En-marche.fr email account

Campaign Treasurer and advisor

The latest emails in the data are dated mid-April 2017, and they stretch back as far as the beginning of 2016. At first glance the email archives look real and untampered. All sorts of people have scoured the data for a bombshell story since it appeared, but the content seems to be so boring and unsubstantial that the majority called it quits after a couple of days.

The Google Drive or Dropbox folder was lifted from the account of Pierre Person, Co-Founder with Macron of Pr Jeunes, a youth group that supports Macron’s candidacy. It seems that Pierre’s personal data was included in the dump for the sole purpose of making the hack appear larger. The folder does not contain much information on the campaign nor does it reveal anything remotely damning of Macron.

On May 5, someone posted two documents that supposedly offered proof that Macron had offshore banking accounts. But researchers have since debunked the documents as bad Photoshop forgeries and even released a video showing how the document was made.

Other parts of the data are even weirder. The archive called ‘Macron_201705_archive’ contains documents from 2002 when Macron was a 25-year old student.  The data in those documents has nothing to do with the presidential campaign.  That archive also includes three files related to a bank transfer and a policy Macron took out with the insurance company Allianz as head of En Marche. Those three files are the only documents in the entire leak that directly relate to Macron, but they also indicate no wrongdoing by the candidate whatsoever.

Indeed, what is interesting is not so much the data itself, but the metadata, that is the information about the files the data is in.  The metadata includes Cyrillic words such as “Автор” (author) and “Область_печати” (printable area), suggesting that the files were either accessed by Russian speakers, or manipulated to give that impression. According to Matt Suiche, founder of Comae Technologies, it also shows that the files were modified by someone named “Рошка Георгий Петрович” (Roshka Georgiy Petrovich). However, as Suiche explains, it is “impossible to say if [this] is due to an operational mistake or if it was done intentionally.” The fact however remains that “some documents have been altered”.  Wikileaks agreed with this assessment

Numerous analysts, aware that the data had been tampered with, warned the press that they should be wary of forged documents within the data.  The same sentiment was echoed in En Marche’s official statement, which asserted that the leak includednumerous false documents intended to sow doubt and disinformation.”

The way the leak was spread is also strange. The Atlantic Council’s Digital Forensic Research Lab tracked the source of #MacronLeaks campaign to the Twitter account of Jack Posobiec, the Washington DC Bureau Chief of an obscure, alt-right website, theRebelMedia. Furthermore, the dump was published on 4Chan, an anonymous internet bulletin board, which is often a source of false information. Wikileaks, an outlet often associated with Russian hacks, acted very cautiously and tweeted that it “could be a 4chan practical joke.”

Gigabytes of Nothingness

The only thing the Macronleak seemed to reveal is what a clean operation the Macron campaign was.  So stark is the absence of interesting information that one could conclude that the Macronleak was a false flag operation designed to point the finger at the Kremlin and, by implication, Marine Le Pen. Trend Micro noted that, despite certain similarities with previous attacks, they could not attribute this attack to APT 28 or any other group. 

The false flag theory is just that – a theory. What is clear is that the Macronleak is not the “massive and coordinated” hacking operation that En Marche portrays. Overall, it is amateurish, chaotic, disorganized, and has little substance to it. If it was the Russians, their tradecraft has suffered considerably of late. If it was some other, non-state actor, the purpose remains unclear.  Overall, it seems to have had little effect on the French election, but it will contribute to the overall view that hacking and leaks are a clear and present threat to all democracies.

The European Council on Foreign Relations does not take collective positions. ECFR publications only represent the views of their individual authors.

Author

ECFR Alumni · Former Cybersecurity & Defence Fellow

Subscribe to our weekly newsletter

We will store your email address and gather analytics on how you interact with our mailings. You can unsubscribe or opt-out at any time. Find out more in our privacy notice.