The Macron Leaks: Are They Real, and Is It Russia?

French President-elect Emmanuel Macron has a lot on his mind as he prepares to assume office. One topic we can be sure he’s thinking about: what to do about the dumping of various of his campaign documents and emails online just hours before the election.

By way of a quick recap, on Friday at about 7pm CET a large cache of files purporting to contain confidential information from the Macron campaign started circulating online. The files were uploaded to Archive.org, and shared on peer-to-peer (bittorrent) sharing networks. The links to the files were then distributed through Pastebin—an anonymous document sharing site—and publicized on 4Chan’s infamous /pol/ site. News of the leak hit the media headlines shortly afterwards.

Despite the headlines about "Macron Leaks," the stolen emails and documents are not actually from Macron himself. The victims here are his speechwriter, the treasurer for the En Marche! party, a senior political consultant, and other members of the campaign. Most are documents, emails, and attachments to or from these victims’ respective Gmail accounts.

The En Marche! campaign managed to narrowly squeeze out a statement before the French election commission's mandatory “Article L49” media political blackout kicked in at midnight. The campaign team alleged that the documents also contained forgeries. Separately, Macron’s foreign policy advisor Aurelien Lechevallier spoke about the need to have a “doctrine of of retaliation when it comes to Russian cyber-attacks” once Macron is President.

But are the statements valid? Is professed concern regarding forgeries merely intended to distract from the content of the documents? And how certain can we be that Russia was behind this?

The issue of forgeries is a real concern. During the Cold War, intelligence services behind the Iron Curtain would routinely mix partial or complete forgeries with real document caches when leaking to Western journalists precisely because the genuine documents give the forgeries a veneer of credibility.

This problem is exacerbated in the Internet age. Citizens’ access to document caches are no longer mediated by journalists with time to investigate before reporting. Rather forgeries can go viral quicker than journalists can investigate the claims for validity.

Previously, I’ve written about my concern and search for forgeries in the stolen DNC documents dumps last year:

What if the documents were mostly real, but had been surgically doctored? How effective would a carefully planted paragraph in an otherwise valid document be at derailing a campaign? How easily could Russia remove or sidestep an inconvenient DNC official with a single doctored paragraph showing “proof” of dishonest, unethical or illegal practices? And how little credibility would the sheepish official have in asserting that “all of the rest of the emails are true, but just not the one paragraph or email that makes me look bad”?

Rep. Adam Schiff has the same concerns, judging from his statement yesterday:

In our election, and because of the decentralization of our voting system, my gravest fear was not that the Russians would hack the actual voting machines. [...] Instead, I worried about the Russians dumping forged documents among the real, or worse still, adding fake paragraphs into real emails. Imagine the impact on an election if hackers inserted false information into a real email that suggested illegality by a candidate, and then published the document. If this was done close to an election, there would be no opportunity to disprove the forgery and who would believe the victim even if they could?

Fortunately, technology can be used defensively as well as offensively. We can use digital forensics to look for forgeries in the documents. For example, we can prove some of the emails in the cache are certainly genuine. Cryptographic signatures on Uber receipts (used to block some categories of fraudulent emails) can be repurposed to verify that some of the emails haven’t been altered, and help us to show conclusively who the hack victims are, and establish that the cache is not a total forgery.

But we can also see that some documents in the Macron cache are not genuine. Most have had their metadata scrubbed, but nine of the spreadsheets have been scrubbed incorrectly, leaving metadata showing that they were edited by a user with a Russian name using a Russian version of Microsoft Excel on March 27, 2017. It’s not immediately clear what was changed within the documents, or why, or even whether such changes were intentional. But if the Macron campaign demonstrate that the originals were substantively edited prior to release, this will certainly be an alarming escalation.

The hack has also not occurred in a vacuum. Trend Micro’s Threat Intelligence team identified an attack against the Macron campaign in March and April this year by a group they call “Pawn Storm”. Trend Micro says the group are “Russian based and motivated”, and their targets intersect conspicuously with Russian government interests. According to Trend Micro’s analysis, the group registered the domain “onedrive-en-marche.fr” as part of an attack on the En Marche campaign earlier this year.

Needless to say, none of these individual facts “proves” Russian government involvement to a certainty. Attribution is often a matter of iteratively establishing a model that best explains the available evidence. Thus far, the available evidence does lean conspicuously towards Moscow. It is worth noting, however, that the level of technical attribution in the Macron case doesn’t hold a candle to the volume and quality of sources and evidence in DNC hack attribution after nearly a year of multiple investigations. The attribution in the DNC offers a far greater level of certainty but there are a great deal of promising leads in the Macron leaks that still need to be investigated.

As with the DNC leak, the hacker here made mistakes, which have already begun to unravel their scheme.

Yes, attribution is hard. But hackers maintaining anonymity when operating at scale is even harder.