Macron's infosec against Russian election-hacking
May 9, 2017 8:38 AM   Subscribe

Macron's IT team expected interference in the recent election. They prepared disinformation to feed the hackers in terms of bogus documents and other misdirection. This allowed them to quickly control the narrative of "fake documents" right before the media blackout when the documents leaked.
posted by k5.user (38 comments total) 48 users marked this as a favorite
 
So the other day, there was a huge phishing campaign against Google that sent to hhh.*@mailinator.com. Now I'm wondering if French elections was the goal of that endeavor.
posted by pwnguin at 8:55 AM on May 9


It's interesting that they reference the anti-phishing techniques used by bankers. Is that just a coincidence - a set of lucky hires by Macron - or did Macron's banking background somehow come into play in the active defense?
posted by clawsoon at 9:06 AM on May 9 [2 favorites]


Here's the Daily Beast article that was mentioned, but not linked, in the OP link, which included this key paragraph:
As reported by The Daily Beast, part of the Macron campaign strategy against Fancy Bear (also known as Pawn Storm and Apt28) was to sign on to the phishing pages and plant bogus information.
“You can flood these [phishing] addresses with multiple passwords and log-ins, true ones, false ones, so the people behind them use up a lot of time trying to figure them out,” Mounir Mahjoubi, the head of Macron’s digital team, told The Daily Beast for its earlier article on this subject.
Making the attacker work to sort good information from bad, and probably even salting "good" accounts with bad information, tips the scale on massive data grab-and-dumps. Beautiful.

But perhaps more importantly is this, from the Daily Beast article:
Literally at the 11th hour, before the blackout would silence it, the Macron campaign issued a statement saying it had been hacked and many of the documents that were dumped on the American 4Chan site and re-posted by Wikileaks were fakes.

The mainstream French media carried the Macron campaign statement, but virtually nothing else. In addition to the normal proscription of campaign “propaganda” on election eve, the government issued a statement saying specifically that anyone disseminating the materials in this dump in France could be liable to prosecution, and calling on the media to shoulder their “responsibility” by steering clear of them.
Emphasis mine - whether the choice by French media was one to side with the politician, or to take a bet against spreading (possibly) fake documents that would make them look like willing partners in public deception.

But looking further, what would it take to get an entire election team using secured devices that could only access websites based on a whitelist that the IT department vets? And require that official emails only use official channels, to ensure security through the secure devices. Of course, people are the weak link here, as is the case in any social engineering hack like phishing attempts.
posted by filthy light thief at 9:06 AM on May 9 [19 favorites]


It's interesting that they reference the anti-phishing techniques used by bankers. Is that just a coincidence - a set of lucky hires by Macron - or did Macron's banking background somehow come into play in the active defense?

It may have been part of Macron's background, but the key strategist listed in the Hacker Noon article, Mounir Mahjoubi, is a politician, not a cyber security expert from banking (French Wikipedia via Google auto-translate).
posted by filthy light thief at 9:08 AM on May 9 [3 favorites]


Very savvy. I hope US politicians are taking notes. Though nothing can stop our corporate news media from running with whatever manufactured scandal stokes the 24/7 punditry fires, unfortunately.
posted by tobascodagama at 9:19 AM on May 9 [3 favorites]


Fantastic. The first step in fighting the weaponization of hyperreality is to see it, to notice the unprecedented and unexpected mode and means of attack. This demonstrates that, once seen, there are some fairly easy responses that can be quite effective.

Moreso, I love that France's establishment collectively realized that the really devastating defense is, essentially, a choice: 'don't let them provoke us to do this to ourselves.' (Turns out that my mom has been trying to teach me that lesson since I was little, every time my big brother would pick and provoke.)
posted by LooseFilter at 9:36 AM on May 9 [22 favorites]


Honeypots should become a mainstream feature of election cycles now, rendering the tactic useless by flooding it with false information. Create just enough signal noise to make any legitimate information found in a dump worthless as it's near impossible to sort through. This probably worked well enough given the short time scale they were operating on. Another benefit to not having election cycles that last for 18 months at a time.
posted by msbutah at 9:47 AM on May 9 [10 favorites]


Mounir Mahjoubi wasn't a politician before this. He was a political appointee in Holland's government, the head of the National Digital Council (Conseil national du numérique) and a former tech entrepreneur, who left to join Macron's campaign. He's now running as an En Marche candidate for parliament. The election's in June.
posted by nangar at 9:50 AM on May 9 [8 favorites]


They prepared disinformation to feed the hackers in terms of bogus documents and other misdirection

So - they're fighting liar with liar (so to speak)! In a way, it seems like our best form of attack is ... well, bullshit.

And that's great for me personally, because I am, like, the most full-of-shit person I know. So I'm probably really employable right now, huh? I gotta update my LinkedIn profile!!! ;-)
posted by the quidnunc kid at 9:54 AM on May 9 [21 favorites]


what would it take to get an entire election team using secured devices that could only access websites based on a whitelist that the IT department vets?

Even simpler -- can't you just disable hyperlinks in all emails on your server? The only argument against that that I've ever seen is "it would be so inconvenient." Seems like a small price to pay to copy and paste URLs.
posted by msalt at 9:55 AM on May 9 [2 favorites]


Feeding the phishing attack fake documents is a great technique, but could backfire if the fake documents happen to be about pizza
posted by East Manitoba Regional Junior Kabaddi Champion '94 at 10:01 AM on May 9 [7 favorites]


The next step will probably involve GRU seconding some staff to Wikileaks to identify and investigate all anonymous sources to it, allowing them to filter out ones that look like pre-emptive spoofing.
posted by acb at 10:03 AM on May 9 [2 favorites]


Seems like their best defence was not having a breathless media trying to spin something out of the hacked documents regardless of substance.
posted by Artw at 10:04 AM on May 9 [35 favorites]


filthy light thief: "The mainstream French media carried the Macron campaign statement, but virtually nothing else. In addition to the normal proscription of campaign “propaganda” on election eve, the government issued a statement saying specifically that anyone disseminating the materials in this dump in France could be liable to prosecution, and calling on the media to shoulder their “responsibility” by steering clear of them."

As flt points out, this is the big news. Threats of prosecution for revealing this stuff is not possible in the US because our first amendment protections are overbroad, allowing media outlets to mislead with impunity.
posted by TypographicalError at 10:07 AM on May 9 [3 favorites]


Honeypots should become a mainstream feature of election cycles now, rendering the tactic useless by flooding it with false information. Create just enough signal noise to make any legitimate information found in a dump worthless as it's near impossible to sort through...

Noise is the first step. Next step is going on the offense. Man, we are so close to "black ICE" I can smell it from here.
"And down now, down, the program a roller coaster through this fraying maze of shadow walls, gray cathedral spaces between the bright towers. Headlong speed.

Black ice. Dont think about it. Black ice.

Too many stories in the Gentleman Loser; black ice is a part of the mythology. Ice that kills. Illegal, but then aren't we all? Some kind of neural-feedback weapon, and you connect with it only once. Like some hideous Word that eats the mind from the inside out. Like an epileptic spasm that goes on and on until there's nothing left at all..."

William Gibson, Burning Chrome

posted by JoeZydeco at 10:26 AM on May 9 [15 favorites]


The next step is cybernetic dolphin junkies.
posted by bonehead at 10:44 AM on May 9 [11 favorites]


We're somewhere between William Gibson and Frank Herbert.

Neither leaves much breathing space for liberty.

It is necessary to play intrigues at certain times. But meanwhile the long term defence is more open and critically minded populace who possess the capability of genuine expression, aided with technical means of free and secure speech.

You who are in power, don't backdoor our encryption keys. Don't try to mass-read everyone's mails while ignoring our true message. You who live by the backdoor shall fall by the backdoor.
posted by runcifex at 11:07 AM on May 9 [4 favorites]




Well, they would say that, wouldn't they? Is it live or is it Memorex? Who knows? As far as public reaction, it will come down to, is the candidate on my side (in which case the dodgy stuff is obviously bogus) or is he not (in which case of course the dodgy documents are real).
posted by IndigoJones at 11:13 AM on May 9 [1 favorite]


I think this approach would only work with an intelligent, politically savvy society that still respects its intellectuals. That is France. That isn't America (or England). Countries that have steeped in bullshit for decades like the US and England would just run with honeypotted misinformation as well.
posted by srboisvert at 11:23 AM on May 9 [18 favorites]


Differences in how free speech can be are also really important here. The US is much more absolutist in its approach, arguably since Regan undid the Fairness Doctrine in the early 80s. The kind of news blackouts that the French government "asked" for and got could not happen in the US, I think. The UK and Commonwealth countries, maybe, but not the US.
posted by bonehead at 11:41 AM on May 9


Threats of prosecution for revealing this stuff is not possible in the US because our first amendment protections are overbroad, allowing media outlets to mislead with impunity.

Our first amendment protections aren't "overbroad." Our system for responding to misinformation is underdeveloped. I hope to see pressures like the Sleeping Giants turned toward all bad media advertisers in due time.
posted by late afternoon dreaming hotel at 11:42 AM on May 9 [6 favorites]


This is apt
posted by infini at 11:42 AM on May 9 [8 favorites]


The kind of news blackouts that the French government "asked" for and got could not happen in the US, I think. The UK and Commonwealth countries, maybe, but not the US.

In the UK, where there are voluntary self-censorship regimes like the D-notice (used for matters of national security) and the superinjunction (used to suppress the names of scandalised celebrities), the British press would comply, but there'd be no shortage of offshore troublemakers who'd gleefuly blurt everything in bold British-tabloid-style headlines. (If it's something that damages a left-wing or liberal candidate, I can imagine, for example, Louise Mensch weighing in from her New York headquarters, and Murdoch backing her even while his British publications follow the law, stopping just short of mentioning where to find the details online.)
posted by acb at 12:05 PM on May 9 [1 favorite]


Metafilter: Unclear if by design, incompetence, or Slavic employee.
posted by Huffy Puffy at 12:09 PM on May 9 [8 favorites]


The ban on campaigning and reporting on the campaigns between midnight Friday before election day and 8:00 pm Sunday when the last polling stations close in France is a matter of established French law. This applies to every French election, not just this one. This isn't something the French government (or the media) made up just to deal with the leaked email dump.
posted by nangar at 12:20 PM on May 9 [4 favorites]


It's interesting that they reference the anti-phishing techniques used by bankers.

And this would be thanks to IT specialists working for banks.

Macron is friends with the director of at least one IT consultancy.

The same IT consultancy that also did a lot of the polling for the French elections.

I, uh, can't say more. Have I mentioned I recently changed jobs and work for a French IT consultancy? ahem. sigh.
posted by fraula at 12:38 PM on May 9 [19 favorites]


Threats of prosecution for revealing this stuff is not possible in the US because our first amendment protections are overbroad, allowing media outlets to mislead with impunity.
Laws are interpreted and enforced by those in power, not by outside angelic entities. The definition of "mislead" is determined by the people in power.

I can't be the only one happy that Trump's government doesn't have the power to label certain stories as "misleading" and difficult/illegal to publish? He has been very open about who he considers "fake news" and who that would be applied to.

Not that it is uncommon to see the system corrupted, a solution be demanded and that solution being to give more power to the system. Which is now used by those who corrupted it to make things worse. It's not uncommon at all, but historically it leads to terrible outcomes.
posted by Infracanophile at 1:07 PM on May 9 [3 favorites]


I, uh, can't say more. Have I mentioned I recently changed jobs and work for a French IT consultancy? ahem. sigh.

FRAULA DID YOU SAVE EUROPE??!?
posted by Huffy Puffy at 1:13 PM on May 9 [23 favorites]


FRAULA DID YOU SAVE EUROPE??!?

I have an idea for your next project.
posted by maxwelton at 2:20 PM on May 9 [6 favorites]


"And down now, down, the program a roller coaster through this fraying maze of shadow walls, gray cathedral spaces between the bright towers. Headlong speed.

Black ice. Dont think about it. Black ice.

Too many stories in the Gentleman Loser; black ice is a part of the mythology. Ice that kills. Illegal, but then aren't we all? Some kind of neural-feedback weapon, and you connect with it only once. Like some hideous Word that eats the mind from the inside out. Like an epileptic spasm that goes on and on until there's nothing left at all..."


Case slotted the Russian virus, then tweaked the angle of his selfie stick with a trembling hand. 'This is gonna look sick on Instagram,' he thought.
posted by Sebmojo at 2:33 PM on May 9 [10 favorites]


Even simpler -- can't you just disable hyperlinks in all emails on your server? The only argument against that that I've ever seen is "it would be so inconvenient." Seems like a small price to pay to copy and paste URLs.

How would that help? If you make people copy and paste legitimate URLs from emails instead of clicking on them, what's to keep them from copying and pasting legitimate-looking phishing URLs?
posted by DevilsAdvocate at 2:59 PM on May 9 [2 favorites]


But meanwhile the long term defence is more open and critically minded populace who possess the capability of genuine expression, aided with technical means of free and secure speech.

We are close enough to this world - almost anything can be learned for free or close to it, and people's ability to communicate is close enough to free and unregulated - and it's clear that this dawn of rationality that is going to make our societies secure, long term, is impossible. People are still people, and they use meat to make decisions, and those decisions are often flawed. The step change you're waiting on happened, and instead of enlightened rationality, every shitty man got a YouTube account and a self-reinforcing audience. Instead of a future where everyone converges on the right answer because everyone gets a say, what we got is because everyone gets a say, there's an answer out there for you no matter how wrong you are, and your meat automatically filters out everything you'd prefer not to hear.
posted by Merus at 8:23 PM on May 9 [2 favorites]


In the UK, where there are voluntary self-censorship regimes like the D-notice (used for matters of national security) and the superinjunction (used to suppress the names of scandalised celebrities)

Access journalism in the US guarantees that major US news outlets will voluntarily self-censor anyway. I think I'd prefer to have a formalised process than the informal handshake agreements that we use now. Ask versus guess culture, you might say.
posted by tobascodagama at 8:54 PM on May 9 [1 favorite]


If you make people copy and paste legitimate URLs from emails instead of clicking on them, what's to keep them from copying and pasting legitimate-looking phishing URLs?

I'm not a netework configurator, but there are a couple of things right off hand:

1) A lot of phishing links are not carefully designed near matches, so it reveals those. A lot of them are very long URLs whose beginnings look like legit addresses but are actually subdomains of a different domain way off to the right. Hyperlinks hide the long names; text can't.

2) It slows down the whole process, forcing you to literally look at the text and take several steps. Of course, this goes hand in hand with yelling at people DON'T FOLLOW LINKS IN EMAILS. Really, there's very little reason to be emailing links at all.

3) Hopefully, the IT staff is buying up near domains and/or doing something on the server to block domains similar to but different from the real ones, especially as they see phishing attacks come in. The goal is to block as many as possible at the server level.

It's the new ones that you want to make it a step harder to go to. Just clicking is way too easy and automatic. We've been trained to just do that for years.
posted by msalt at 11:40 PM on May 9


Let's turn your question around. Why in the world would you allow hyperlinks in URLs at all, if you were a political or media organization prone to attack?

What possible need is there, that justifies the high risk of being compromised?
posted by msalt at 11:42 PM on May 9


As always, there is a tradeoff between productivity and security. (Security and Legal are often referred to, only half-jokingly, as 'business-prevention units' where I work.)

I almost wrote out a long paragraph here about all the different ways it could backfire to disallow emails with links in them, or even to disallow links in emails. Not to mention the difficulty of actually performing the disallowal, whatever that actually means on the wire/on the server/on the client!
posted by Fraxas at 3:44 AM on May 10 [1 favorite]


This reminds me of the bit from the Neil Stephenson book Anatham where it was impossible to rely on anything read on the internet because in that world's history, intelligence agencies and governments had long ago set up AI bots to continuously flood the net with inaccurate information, stuff that seems plausible but was difficult to verify.

It's a fascinating strategy to stop leaks in a world where gigabytes of information can be instantly and secretly copied. If you can't stop the information from getting out, just mix in tons of false data. The difficulty is you need to generate the garbage documents in such a way that the people inside the organization would be able to distinguish them but outsiders couldn't.
posted by zixyer at 10:06 AM on May 10 [3 favorites]


« Older The Perils of Impersonation   |   Good Dog Newer »


You are not currently logged in. Log in or create a new account to post comments.