15/03/2020 MacronLeaks – A Timeline of Events | AT&T Alien Labs

‹ ALL BLOGS (/blogs)

ALIEN LABS (/BLOGS/LABS-RESEARCH)

MacronLeaks – A Timeline of Events

MAY 6, 2017 | CHRIS DOMAN (/BLOGS/AUTHOR/CHRIS-DOMAN)

It's been a very familiar feeling reading about the documents leaked to impact the elections in France tomorrow.

Oen the best defence is to have a proper understanding of what has happened. A quick dra timeline of events from an analysis of document
meta-data and forum posts is below.

Attacks in March and April

A number (https://motherboard.vice.com/en_us/article/evidence-linking-russian-hackers-fancy-bear-to-macron-phishing) of domains,
identified by Trend Micro as linked to a group of attackers known as APT28 (https://en.wikipedia.org/wiki/Fancy_Bear), were registered for use in
attacks against Emmanuel Macron's campaign.

It appears they were registered in two stages - first in the middle of March, then more in the middle of April. The links between these attacks and
others in the US elections is strong. I haven’t seen a definitive link that the documents leaked yesterday were the result of these attacks in March
and April, but it seems a likely scenario.

Suspicious edits of the leaked documents in March

Many (https://twitter.com/BivolBg/status/860803144103723009) noted that all of the documents in one of the smaller archives released
yesterday (xls_cedric) appeared to have been edited over a 4 minute period on the 27th of March.

These were edited by a Russian language version of Microso Excel. About half recorded a user named "Рошка Георгий Петрович / Roshka Georgy
Petrovich" performing the edits.

It's suspicious that these documents, some which were created over ten years ago, were all edited so recently during the same 4 minutes. It
suggests the edits may be following their the, not before.

Before linking any individual to these attacks though it's important to note:

A number of people have that name;

This could be false information planted by the attackers; or
An entirely innocent employee at a bank somewhere has been unfortunate enough to get caught up in this.

Similar previous mail dumps have included a mix (https://twitter.com/RidT/status/860769446083911681) of real and fake information, and the
Macron campaign have also said that the dump is a mix of real and fake documents. It's important to keep that in mind – particularly when you see
e-mails in the dump suggesting that politicians have bought drugs online.

Documents shared on 4Chan on Wednesday

A first small set of two documents were shared http://boards.4chan.org/pol/thread/123933076 [no longer available] on 4Chan's politics board /pol
just prior to the election debates on Wednesday:

These suggested that Macron had secret bank accounts. The post was made by a user from a Latvian IP. The geolocation is likely incorrect and the
“Latvian” poster themselves said they were connecting through proxies from another location.

The documents were picked up by fringe news sites quickly, and Le Pen made (https://www.theguardian.com/world/2017/may/04/emmanuel-
macron-files-complaint-over-marine-le-pen-debate-remark) similar claims during the live debate against Macron that night.

It wasn’t long before some suggested the documents looked like they had been photo-shopped
(https://twitter.com/TurcanMarie/status/860038174579576833). The “Latvian” poster claimed the problems were due to the how the copies were
obtained - by taking photos of the documents "in a short window perhaps only a couple minutes long" with "covert physical access".

Get price (/pricing/request-quote) Free trial (/products/usm-anywhere/free-trial)

https://cybersecurity.att.com/blogs/labs-research/macronleaks-a-timeline-of-events 1/4
15/03/2020 MacronLeaks – A Timeline of Events | AT&T Alien Labs
Meta-data (https://bivol.bg/en/canon-for-macron.html) of the documents showed they were scanned by two very expensive printers around the
same at 08:22 that Wednesday morning (all times in this post are in UTC). This could match two people working in an office. The time zone of the
scans was set to UTC-4 - which would in fact match a bank in the Caribbean. This could be a legitimate timestamp of when they were scanned, fake
information, or le in despite later edits.

Friday Morning: Higher Quality versions of Wednesday's documents shared on

4Chan
In response to the questions around whether the documents had been edited the (presumably same) “Latvian” poster shared higher quality
versions of the documents posted on Wednesday:

Ominously they referred to what were likely the documents that came out later that day, providing evidence the leak of documents on Wednesday
and Friday were by the same people:

"We will soon have swinet logs going back months and will eventually decode Macron's web of corruption"

They also suggested plans for further activity if Macron wins:

"Also if Macron wins we're gonna have to organize and make things happen. The French scene will be at nouveaumartel.com later."

This has possible parallels to the US elections. Many saw the leaked documents then as attempts to weaken Hilary Clinton had she won as expected
- as much as to reduce the chances of her election. Currently the site nouveaumartel[.]com (registered in November 2016) is empty. The “Latvian”
poster responded directly to suggestions they were Russian:

"I am not Russian. I have never been to Russia. I do not speak Russian”

Friday Early Aernoon: The Uploads to the Internet Archive

The documents were uploaded to the internet archive between 11:17:39 and 14:06:04.

Internet archive logs several pieces of information when you upload a file, and recorded that:

The uploader used the e-mail address frankmarcher1@gmx[.]de

Two machines were used to upload the files - one was Windows 8.1, the other Windows 10
Both machines have the language of their browser set to US English

The files remain available on the Internet Archive. They oen take time to remove files and were even banned in Russia for not taking down
extremist content promptly.

Friday Night: The Cache is Shared and Spread

At 17:37 the US alt-right fringe news site "Disobedient News" tweeted (https://twitter.com/DisobedientNews/status/860549138139795456):

Get price (/pricing/request-quote) Free trial (/products/usm-anywhere/free-trial)

https://cybersecurity.att.com/blogs/labs-research/macronleaks-a-timeline-of-events 2/4
15/03/2020 MacronLeaks – A Timeline of Events | AT&T Alien Labs

(Note the time is 5:37 PM when in UTC)

This was twenty minutes before the links to the archives were posted on Pastebin. Disobedient News was also the first to tweet links to the archives
aer they were shared on 4Chan, and have been linked (https://medium.com/dfrlab/hashtag-campaign-macronleaks-4a3870c4e8) to being
key to spreading the news.

At 17:59 the links to the files on internet archive were posted to Pastebin (http://archive.is/eQtrm) and then shared on 4Chan 30 minutes later:

This time the post is from an IP address in the US, unlike the other posts which were from an IP in Latvia. The poster says the documents were
"passed on" to them that day, and that they were trying to share them with Wikileaks but they were "too slow".

A possible reading of the timeline is that the attackers uploaded the files to internet archive, then another party spread the information on 4Chan
and elsewhere.

What next?
The impression on the 4Chan boards, the so-called "armpit of the internet", is that this is all a game.

But the effects of repeated attacks against political parties is serious. It's unlikely those orchestrating these attacks would have the best interests
of those happily spreading their output at heart.

The French elections will be over Sunday, but it's unlikely these types of attacks will be. Related attacks targeting
(http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks/)
German political parties for the upcoming German elections have already been identified.

(https://cybersecurity.att.com/blogs/author/chris-doman)
About the Author: Chris Doman, AlienVault

I've had a long interest in security, but joined the industry aer winning the civilian section of the
Department of Defense's forensics competition. I run a popular threat intelligence portal
(ThreatCrowd.org) in my spare time, and hold a CCHIA (Certified Host Intrusion Analyst) from CREST and a
degree in Computer Science from the University of Cambridge.

Read more posts from Chris Doman › (/blogs/author/chris-doman)

Get price (/pricing/request-quote)

TAGS: timeline (/blogs/tag/timeline), macronleaks (/blogs/tag/macronleaks),Free
4chantrial (/products/usm-anywhere/free-trial)
(/blogs/tag/4chan)

https://cybersecurity.att.com/blogs/labs-research/macronleaks-a-timeline-of-events 3/4
15/03/2020 MacronLeaks – A Timeline of Events | AT&T Alien Labs

(/blogs/tag/4chan)
(/blogs/tag/4chan)‹ BACK TO ALL BLOGS (https://cybersecurity.att.com/blogs/labs-research)

Get the latest security news in your inbox.

Subscribe via email (https://pages.alienvault.com/digesto.html?utm_medium=organic_search&utm_source=google&utm_content=not_provided&utm

Labs Research (http://feeds.feedblitz.com/alienvaultotx)

Security Essentials (http://feeds.feedblitz.com/alienvault-security-essentials)
All Blogs (http://feeds.feedblitz.com/alienvault-blogs)
(http://feed
blogs)

WHITE PAPER
The Essential Guide to Secure
Web Gateway (/resource-
center/white-papers/essential-
guide-to-secure-web-gateway)

WHITE PAPER
Evaluator’s guide for managed
detection and response (MDR)
services (/resource-center/white-
papers/mdr-evaluators-guide)

Get price (/pricing/request-quote) Free trial (/products/usm-anywhere/free-trial)

https://cybersecurity.att.com/blogs/labs-research/macronleaks-a-timeline-of-events 4/4