On 9 May 2017, Admiral Michael Rogers, U.S. Cyber Command commander and director of the National Security Agency, testified before the Senate Armed Services Committee that U.S. intelligence watched Russian hackers attack French computer systems as the French presidential election approached.
Rogers said that the NSA warned their peers in France before the stolen information became public:
We had become aware of Russian activity, we had talked to our French counterparts prior to the public announcements of the events that were publicly attributed this past weekend and gave them a heads up, ‘Look we’re watching the Russians, we’re seeing them penetrate some of your infrastructure. Here’s what we’ve seen, what can we do to try to assist?’ We’re doing similar things with our German counterparts, with our British counterparts, they have an upcoming election sequence.
The hack saw troves of information leaked online just 36 hours before French voters went to polls in a 7 May 2017 runoff between Emmanuel Macron and his far-right, Kremlin-backed opponent Marine Le Pen. Cyber security firm Trend Micro (which researches the cyber espionage group called Pawn Storm, also known as Fancy Bear, thought by some to be affiliated with Russian military intelligence) said the Macron hack bears similarities to previous operations by the group. Pawn Storm was allegedly responsible for hacking the Democratic National Committee and the e-mails of Hillary Clinton’s campaign manager, John Podesta.
Although Trend Micro is still investigating whether Pawn Storm was behind the attack on Macron’s campaign, we asked the National Security Agency whether the intelligence community has confirmed it was a Russian cyber attack. A spokesman for the agency responded, “We will let the Director’s comments before the committee stand on their own.”
When asked for comment on the hack on 10 May 2017, Trend Micro sent us an e-mailed statement:
Trend Micro does not have evidence that this is associated with the group known as Pawn Storm (also APT28 and other names). The techniques used in this case seem to be similar to previous attacks. However, without further evidence, it is extremely difficult to attribute this hack to any particular person or group.
Trend Micro pointed us to a 25 April 2017 report in which they identified Macron’s political party as a target of a Pawn Storm phishing campaign the month before. Although Trend Micro cannot confirm they are state-sponsored, they told us that the motivation behind the group’s actions “generally align with Russian ideals.”
Andrew Weisburd, senior fellow at the Center for Cyber and Homeland Security at George Washington University, told us it’s no surprise the Kremlin would target the French election, because Russian President Vladimir Putin’s goal is to destabilize his Western adversaries with the hopes of breaking up transnational trade agreements and military alliances like the European Union and the North Atlantic Treaty Organization, or NATO:
Germany is [the next target], but the Kremlin is pushing its advantage anywhere/everywhere it can. The Balkans are a major concern of mine.
One key strategy in destabilizing formerly strong states is weakening societies from the inside with coordinated disinformation, reportedly disseminated and amplified by Kremlin-funded news agencies like RT (formerly Russia Today) and Sputnik International. Intelligence experts have said that aside from attempting to manipulate elections, the Kremlin simply wants to sow distrust in democratic elections and create general social chaos.
Weisburd told us:
The Russians don’t create divisions and mistrust, they exploit those things. We can blame them, but we also need to hold ourselves to account.
According to Reuters, the leaks initially appeared on an internet message board, then were posted to Twitter:
The leaks emerged on 4chan, a discussion forum popular with far right activists in the United States. An anonymous poster provided links to the documents on Pastebin, saying, “This was passed on to me today so now I am giving it to you, the people.”
The hashtag #MacronLeaks was then spread by Jack Posobiec, a pro-Trump activist whose Twitter profile identifies him as Washington D.C. bureau chief of the far-right activist site Rebel TV, according to [Ben] Nimmo and other analysts tracking the election. Contacted by Reuters, Posobiec said he had simply reposted what he saw on 4chan.
Many took note of the timing of the leak, which seemed aimed at exploiting a mandated 44-hour news media blackout on any reporting relating to the campaigns that could swing the election. With the major media outlets silent, the hashtag #MacronLeaks spread across social media, boosted by both WikiLeaks and Le Pen’s campaign.
Massive doc dump at /pol/
— Jack Posobiec ?? (@JackPosobiec) May 5, 2017
Alleged multi-GB team Macron email archives. Could be a 4chan practical joke. We are examining https://t.co/wLemQiYHT2
— WikiLeaks (@wikileaks) May 5, 2017
.@EmmanuelMacron @4chan @JackPosobiec @TheRebelTV @benimmo @wikileaks @Twitter @discordapp 22:40 BST: @FN_officiel‘s vice president: “Will #MacronLeaks teach us something that investigative journalism has deliberately killed?” pic.twitter.com/30dCzgBiHM
— BBC Trending (@BBCtrending) May 9, 2017
Ben Nimmo, senior fellow at the Atlantic Council — an international affairs think tank — told us in an e-mail that Posobiec was the first to tweet the hashtag in connection with the 5 May 2017 hack. Posobiec confirmed as much to us, also via e-mail:
A simple twitter search shows I was not the first to tweet the #MacronLeaks hashtag, but first to tweet it in connection to the archive of confirmed emails /pol/ released.
Nimmo said that as in the U.S. election hack, automated Twitter profiles called “bots” appeared to have amplified the message:
Some of the accounts which amplified Posobiec have a very high activity rate and/or proportion of retweets to authored tweets (95% or more), which suggests that they’re designed (and probably automated) to amplify specific alt-right / far-right messages. Others have typical human behaviour patterns. It looks like the amplification effort combined human users with bot/cyborg accounts to boost the initial signal. It would be wrong to characterize it as a purely bot operation – remember that Posobiec has over 100,000 followers anyway.
In this instance, however, the hacking scheme didn’t work; Macron won the election in a landslide, largely because the message failed to generate an anti-Macron narrative that dominated coverage. Nimmo told us:
What we saw on Saturday [6 May 2017] was that the hashtag #MacronLeaks did trend, but that an increasing proportion of the traffic, and the most popular tweets, either mocked the leaks or criticized the alt-right for trying to spread them. By Saturday afternoon, there were strong narratives on Twitter that the US alt-right was trying to interfere in the election, and that Russian hackers had been implicated.
The hashtag campaign did spread the hashtag successfully, but it failed to establish a dominant anti-Macron narrative outside the alt-right / far-right echo chamber. Instead, it saw an increasing pushback and led to significant mainstream coverage of alt-right attempts to interfere in the election, and to further questions about Russian hacking.
When we asked Posobiec if he was concerned he may have unwittingly acted on the behalf of a Russian attempt to swing the election in France, he responded that several U.S. officials — including retired Director of National Intelligence James Clapper — had testified there was no evidence Russia hacked the 2016 U.S. election.