This is gonna be a very interesting cyber conflict

On Feb 1st, 2017, Wikileaks began tweeting about the candidates in the French election coming up in a few months. This election (along with Germany’s later this year) is a very highly anticipated overt cyber conflict, one that many people in the intelligence, infosec and natsec communities are all paying attention to. We all saw what happened in the US and expect the Russians to meddle in both of these elections too. The outcomes are particularly important because France and Germany (“Old Europe”) are the strong core of the EU, and Putin’s strategic goal is a weak EU. He’s been dealt a weak hand and his geopolitical strategy is to weaken his opponents, pretty straight forward.

This next cyber confict promises to be more complicated and interesting, but
sadly due to improved tradecraft will likely have less visible events. Covering the covert war is always going to involve speculation, but I’ll attempt to
“show my work” as much as possible.

I promised a write up on this at the time, but due to delays with editing had to settle for just a Tweet. Since then, it seems that the campaign against Macron has ramped up.


The Most Anticipated Cyber Conflict of 2017

There are a few important points to lay the ground work for understanding this conflict. I’m hardly an expert on French politics, but this is what we need to know to follow what is happening.

For months I’ve been hearing from credible sources that Russian cyber crews
(Sofacy, APT28, etc.) have been collecting aggressively in France. There is
plenty of historical evidence of Russian espionage in France (see: TV5 hack.)
From what I understand, this espionage has been stepped up last year, so I guess it is a reasonable assessment that the “collection” phase of the influence op is well underway. However, unlike with the DNC hacks last year, the Russians have not been caught with their hand in the cookie jar, kicked out and publicly exposed. I believe they are still able to collect new intelligence throughout the campaign (always useful to have fresh intel!)

An amusing side note: French politicians have moved to secure messengers, potentially as a means of mitigating against Russian collection. What messenger have they chosen? Russia’s own Telegram, the least suited tool for the job! (Personally, I blame the French security forces saying that Telegram has impenetrable security creating a safe haven for ISIS.)

French politicians, please, switch to WhatsApp or Signal for secure messaging. And use an iPhone, it is easier to keep secure than an off the shelf Android device.

Whirlwind Tour of French Politics

France is not the US. There are more players and the system is more complex.

The major players:

  1. Fillon, pro-kremlin, right wing, has been leading in the polls
  2. Le Pen, pro-kremlin-ish, basically a nazi, has been doing ok in the polls
  3. Macron, anti-Kremlin, center-left, rising fast in the polls
  4. Hamon, anti-Kremlin, Socialist, a “dinosaur” who is unlikely to be a serious threat

From a Russian interests point of view, either Le Pen or Fillon is a win because they would serve to weaken the EU. Either of the other two (Macron, Hamon) is a loss, since they don’t advance Russian interests.

Simply causing chaos and weakening France with a brutal campaign is also a win, since that helps to advance Russian interests. This is why pretty much everyone is expecting some degree of Russian meddling. Besides, what do they have to lose?

How To: Cyber an election

The Russian cyber based influence operation in the US election was constructed of several phases:

  • strategy (construct and spread a narrative that US elections are corrupt and illegitimate)
  • collection (the hacking of political targets to gather data to support this narrative)
  • dissemination (using cut outs like Wikileaks, and via “exclusives” to receptive journalists)
  • target ingestion (getting a sufficient part of the target audience to accept the narrative as authentic)

As we saw last time, Wikileaks was an instrumental part of the Russian operation.

After the cyber based meddling by the Russian intelligence forces
in the US election last year, everyone has been expecting the same thing to
happen in the European elections this year. What can we expect?

  • The tradecraft for a cyber conflict has been improved (on all sides),
  • the French are more prepared than the Americans were (in that they are at least expecting something),
  • the French election is a lot more complicated than the US one (more players for a start), and
  • the French media is mostly left wing while the major candidates are mostly right wing.

Most interestingly though, this time it looks like the French made the first move. In purely internal domestic politics the right wing politicians (quite possibly Sarkozy) have orchestrated the exposure of an election ending scandal for Fillon. This has probably thrown a monkey wrench into the Kremlin’s strategy which was likely constructed on the assumption that at least two candidates provided a winning end state. Now there is only one, and she is the weaker of the two.

Plot Twist: Fillon gets Knifed in the back

At the beginning of the year the French media exposed a huge, potentially terminal, scandal around Fillon. He has been running on “austerity, cutting social benefits, self righteous purity”…but it turns out that for years he’s been paying his wife (and sons) hundreds of thousands of euros of taxpayer money for “fake jobs.” This petty corruption isn’t such a big deal, except it completely undermines his platform and image. Reveals him as a total hypocrite who wants to slash taxpayer funding for everyone except his immediate family. Not a good look for an austerity platform!

This scandal was probably orchestrated by Sarkozy, or other members of Fillon’s own party, who are taking him out of the game for internal political reasons. If it proves successful in kicking him out of the race, it will make things more interesting since it halves the number of pro-Kremlin candidates. With the strongest pro-Kremlin candidate already eliminated before the Russians even got to start playing their games, my guess is that the reduced number of strategies available will lean heavily towards an extremely bloody campaign. There’s no reason for restraint, just going full on.

The Starting Gun

The games have begun. Wikileaks, so instrumental in the last Russian influence operation campaign, has already started tweeting about the French candidates.

They began with an opening salvo of five tweets:

WTF is it with Clinton?

Most of Wikileak’s tweets were about Macron and every single one links him directly to “Hillary Clinton,” and always with a weird negative sentiment. First his “special dinner” sends an “invite to the Hillary Clinton campaign.” Then a dismissive “summed up to Hillary Clinton” with a pic of the two line bio. Finally an assertion that the same two line bio “in Hillary Clinton’s emails [is] at odds with [Macron’s] campaign image.”

Macron is getting special attention compared to the other candidates, and he is always linked to Clinton and once even to Clinton’s emails. I’d wager a guess that Wikileaks is not in the pro-Macron camp. Wikileaks is attempting to create a fictitious association linking Macron to Hillary Clinton, and her emails (both of which have negative political connotations, at least in the minds of some people.)

Speculative Guess Below

With Fillon seemingly out of the race, the Kremlin will throw full support behind Le Pen. That will probably mean a dirtier campaign since they now have fewer winning outcomes — a Le Pen win, or a chaotic weakened France exhausted by a bloody election.

I believe the two generic “here’s a link to a search result” tweets about Fillon
and Le Pen are an attempt by Wikileaks to create an illusion of neutrality. This would be an advancement in cyberwar electioneering tradecraft — create at least a thin shield of neutrality to help mitigate against accusations of partisanship.

Epic Fail

Unfortunately for Wikileaks, this thin veneer of “we leak about everyone” doesn’t appear very convincing. Firstly, they have too much baggage from last year’s US election (it’ll take more than a couple tweets to wash that off.) Secondly, the only major media outlet to pick up the Wikileaks tweets and run with them was, wait for it — Russia Today! Finally, Macron’s special attention, all of it negative, belies any attempted claims of neutrality.

Things to Come

I believe that the loss of Fillon and the rise of Macron will mean that the
Kremlin will deliberately target Macron with “leaks.” This is foreshadowed by the special attention he has received already, and because there just isn’t much on him. He is too young to have a long sordid history in politics to mine for dirt (see: Fillon); he has almost no presence in the existing leaks (search Wikileaks for “macron”, reveals only 17 hits, all of which are variants of the two documents used to create the three tweets.)

France Mulls Forming a Committee to Propose a Timetable to Evaluate a Framework to Man the Maginot Line

The French claim to be prepared to handle Russian cyber meddling. There is a plan by ANSSI* to counter any leak supported narrative by informing
the public immediately
. We’ll see how that goes, but I don’t think the great failure in America was due to a lack of awareness that the narrative was supported by hacked emails collected by a hostile foreign intelligence service. Not only weren’t people bothered by that, but the sourcing (“hacked by elite Russian military intelligence cyber unit”) seemed to add
a stamp of authenticity (“if you can’t trust a hostile foreign intelligence service, who can you trust?”)

There have been overt (and pointless) statements telling people that they need to secure their email. This is pointless because the collection of information happened last year, long before anyone was told to enable 2FA. It is also pointless because the French have been thoroughly penetrated by the Russian cyber forces for years, and so this suggestion is too little too late. It’s not that the defence is inadequate against the literal manifestation of a nation state’s will (although it may be), it’s that the time to deny the adversary access to your emails is before they have access!

*: Agence Nationale de la Securite des Systems d’Information, I can see why they didn’t go with the English word order for the National Agency for the Security of Information Systems.


If there is going to be any cyber electioneering, the Russians will have to get
some new emails and documents published. From what I’ve heard, they have been conducting stepped up cyber espionage against the French since last year, so they probably have something to use. Given the French political landscape right now (Fillon out, Le Pen doing ok, Macron coming up, Hamon an afterthought), and given the content of the Wikileaks tweets, I believe that there will be a Russian disinformation campaign against Macron.

Update: Feb 6th

The Russian state controlled media has begun throwing out its own set of anti-Macron narratives. Sputnik alleges that Macron is some sort of US banker agent.

Izvestia did an interview with Assange who claims to have “very interesting” information on Macron, translated by Izvestia as “kompromat” and immediately seized on by Le Pen. She is all over this “Macron worked at a bank” kompromat.

The narrative, such as it is, is all based on some insinuation by Assange that he has “interesting information” about Macron. Real journalists got to work asking followup questions to find out more about the nature of this information, like “what is it?”

There you have it, the “interesting information” Assange was alluding to is literally a two line, years old, biographical sketch that contains less information about Macron than Wikipedia.

If you want information on a public figure, sometimes one Wiki is better than the other…

The grugq,  Medium

The grugq is information Security Researcher :: PGP 0xDB60C7B9BD531054