How the Macron campaign slowed cyberattackers

Did the French president-elect's security team use cyberdeception techniques to fight off phishing attacks? Submitting fake credentials definitely qualifies

How the Macron campaign slowed cyber attackers

In the wake of French president-elect Emmanuel Macron's victory over Marine Le Pen, IT armchair quarterbacks should look at the Macron campaign's security playbook for ideas on how to fight off targeted phishing and other attacks.

When 9GB of files belonging to the Macron campaign was dumped on file-sharing website Pastebin less than two days before the French election, it looked too much like what had happened during the U.S. presidential election last fall.

There isn't enough evidence to conclusively link the Russians to the Macron leak, and security experts believe some of the supposed clues are sloppy attempts at misdirection. The difference this time around seems to be the fact that Macron's team was prepared for the attacks and engaged in a disinformation campaign of its own, according to The Daily Beast.

"You can flood these [phishing] addresses with multiple passwords and log-ins, true ones false ones, so the people behind them use up a lot of time trying to figure them out," the head of Macron campaign's security team, Mounir Mahjoubi, told The Beast.

The Macron campaign was targeted by phishing emails with links to URLs that looked similar to official sites, such as, which could trick users into misreading the "nn" as a "m." Some recipients likely fell for the phish and logged in with legitimate credentials, giving attackers access to all their emails. "If you speed read the URL, you can't make the distinction," Mahjoubi said, noting the fake sign-in pages were "pixel perfect." The campaign's security team flagged the phishing sites as they were identified and submitted fake login credentials.

That sounds suspiciously like cyberdeception.

The attackers had gotten hold of valuable information, so the defenders mixed fake and real data to make it harder for attackers to waste hours trying to verify what was real, said Gadi Evron, founder and CEO of Cymmetria. With cyberdeception, defenders take control of the battleground by deciding what kind of information the attackers get and directing the attackers to go after decoy systems rather than real systems holding sensitive data.

"If we can control the information our opponent collects about us, we can control where they go and how they act, detect them sooner, and neutralize them," Evron said. The following video goes into more detail about how cyberdeception works.

One cyberdeception tactic is to leave documents—"deceptive data"—on carefully prepared systems for attackers to steal, then have the documents beacon back to let the defenders know the file has been opened. Attackers can be tricked into using "incriminating evidence." It's possible the security team left behind fake files in the user accounts or accessed the phishing sites from the prepared systems holding only dummy files, and that level of technical detail hadn't made its way into The Daily Beast article. At this point, there's no proof one way or another.

"There's no evidence the Macron campaign 'outsmarted' or deceived anybody. You can't 'sign on' to APT28 phishing sites and 'plant' info," said Thomas Rid, the Kings College researcher who recently testified at Congress about the Russian interference of the U.S. election.

The campaign claimed the documents revealed the normal day-to-day operations of a presidential campaign, but authentic documents had been mixed on social media with fake ones to sow "doubt and misinformation." Without specifics, that statement doesn't mean much, but taking into the consideration the campaign appears to be familiar with cyberdeception tactics, it's possible the security team knew what files had been available to steal and had a clear idea of what had been compromised.

"The campaign seemed able to quickly identify what it called fake documents in the mix of the data dump. That suggests that they had an inventory beforehand to work with," Evron said, noting this was a "working theory."

The campaign also made it harder for attackers to move around and find data, which may be one of the reasons there wasn't any high-value information buried in the dump. AP reported the campaign had servers protected by sophisticated software filters, recommended the use of encrypted messaging and cellphone networks, and required double and triple authentication to access emails. Information was stored in multiple-partitioned cells, with databases separated like fortresses, accessible only by passwords that were complex and regularly changed.

Hindsight is 20/20, and there's always something a IT security team should've or could've done in order to avoid a data breach or a security incident. While it's important to beef up the defenses, make it hard to steal data, and train users to recognize attacks, letting defenders control the environment and tricking the attackers can also help minimize the effects of an attack.

"Finally, someone uses cyberdeception to beat attackers at their own game," Evron wrote.


Copyright © 2017 IDG Communications, Inc.