MacronLeaks – A Timeline of Events

May 6, 2017 | Chris Doman
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

It's been a very familiar feeling reading about the documents leaked to impact the elections in France tomorrow.

Often the best defence is to have a proper understanding of what has happened. A quick draft timeline of events from an analysis of document meta-data and forum posts is below.

Attacks in March and April

A number of domains, identified by Trend Micro as linked to a group of attackers known as APT28, were registered for use in attacks against Emmanuel Macron's campaign.

It appears they were registered in two stages - first in the middle of March, then more in the middle of April. The links between these attacks and others in the US elections is strong. I haven’t seen a definitive link that the documents leaked yesterday were the result of these attacks in March and April, but it seems a likely scenario.

Suspicious edits of the leaked documents in March

Many noted that all of the documents in one of the smaller archives released yesterday (xls_cedric) appeared to have been edited over a 4 minute period on the 27th of March.

These were edited by a Russian language version of Microsoft Excel. About half recorded a user named "Рошка Георгий Петрович / Roshka Georgy Petrovich" performing the edits.

It's suspicious that these documents, some which were created over ten years ago, were all edited so recently during the same 4 minutes. It suggests the edits may be following their theft, not before.

Before linking any individual to these attacks though it's important to note:

  • A number of people have that name;
  • This could be false information planted by the attackers; or
  • An entirely innocent employee at a bank somewhere has been unfortunate enough to get caught up in this.

Similar previous mail dumps have included a mix of real and fake information, and the Macron campaign have also said that the dump is a mix of real and fake documents. It's important to keep that in mind – particularly when you see e-mails in the dump suggesting that politicians have bought drugs online.

Documents shared on 4Chan on Wednesday

A first small set of two documents were shared http://boards.4chan.org/pol/thread/123933076 [no longer available] on 4Chan's politics board /pol just prior to the election debates on Wednesday:

MacronLeaks files on 4Chan

These suggested that Macron had secret bank accounts. The post was made by a user from a Latvian IP. The geolocation is likely incorrect and the “Latvian” poster themselves said they were connecting through proxies from another location.

The documents were picked up by fringe news sites quickly, and Le Pen made similar claims during the live debate against Macron that night.

It wasn’t long before some suggested the documents looked like they had been photo-shopped. The “Latvian” poster claimed the problems were due to the how the copies were obtained - by taking photos of the documents "in a short window perhaps only a couple minutes long" with "covert physical access".

Meta-data of the documents showed they were scanned by two very expensive printers around the same at 08:22 that Wednesday morning (all times in this post are in UTC). This could match two people working in an office. The time zone of the scans was set to UTC-4 - which would in fact match a bank in the Caribbean. This could be a legitimate timestamp of when they were scanned, fake information, or left in despite later edits.

Friday Morning: Higher Quality versions of Wednesday's documents shared on 4Chan

In response to the questions around whether the documents had been edited the (presumably same) “Latvian” poster shared higher quality versions of the documents posted on Wednesday:

4Chan on Friday after deception uncovered on MacronLeaks

Ominously they referred to what were likely the documents that came out later that day, providing evidence the leak of documents on Wednesday and Friday were by the same people:

"We will soon have swiftnet logs going back months and will eventually decode Macron's web of corruption"

They also suggested plans for further activity if Macron wins:

"Also if Macron wins we're gonna have to organize and make things happen. The French scene will be at nouveaumartel.com later."

This has possible parallels to the US elections. Many saw the leaked documents then as attempts to weaken Hilary Clinton had she won as expected - as much as to reduce the chances of her election. Currently the site nouveaumartel[.]com (registered in November 2016) is empty. The “Latvian” poster responded directly to suggestions they were Russian:

"I am not Russian. I have never been to Russia. I do not speak Russian”

Friday Early Afternoon: The Uploads to the Internet Archive

The documents were uploaded to the internet archive between 11:17:39 and 14:06:04.

Internet archive logs several pieces of information when you upload a file, and recorded that:

  • The uploader used the e-mail address [email protected][.]de
  • Two machines were used to upload the files - one was Windows 8.1, the other Windows 10
  • Both machines have the language of their browser set to US English

macronleaks uploads on Internet Archive

The files remain available on the Internet Archive. They often take time to remove files and were even banned in Russia for not taking down extremist content promptly.

Friday Night: The Cache is Shared and Spread

At 17:37 the US alt-right fringe news site "Disobedient News" tweeted:

(Note the time is 5:37 PM when in UTC)

This was twenty minutes before the links to the archives were posted on Pastebin. Disobedient News was also the first to tweet links to the archives after they were shared on 4Chan, and have been linked to being key to spreading the news.

At 17:59 the links to the files on internet archive were posted to Pastebin and then shared on 4Chan 30 minutes later:

This time the post is from an IP address in the US, unlike the other posts which were from an IP in Latvia. The poster says the documents were "passed on" to them that day, and that they were trying to share them with Wikileaks but they were "too slow".

A possible reading of the timeline is that the attackers uploaded the files to internet archive, then another party spread the information on 4Chan and elsewhere.

What next?

The impression on the 4Chan boards, the so-called "armpit of the internet", is that this is all a game.

But the effects of repeated attacks against political parties is serious. It's unlikely those orchestrating these attacks would have the best interests of those happily spreading their output at heart.

The French elections will be over Sunday, but it's unlikely these types of attacks will be. Related attacks targeting German political parties for the upcoming German elections have already been identified.

Chris Doman

About the Author: Chris Doman, AlienVault
I've had a long interest in security, but joined the industry after winning the civilian section of the Department of Defense's forensics competition. I run a popular threat intelligence portal (ThreatCrowd.org) in my spare time, and hold a CCHIA (Certified Host Intrusion Analyst) from CREST and a degree in Computer Science from the University of Cambridge.
Read more posts from Chris Doman ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL CHAT