Russian Hackers Said to Target French Presidential CandidateTactics Used to Influence Vote Seen as Means to Extort Businesses
The purported hacking of computers linked to the campaign of French presidential candidate Emmanuel Macron, supposedly by the same Russian group that breached IT systems tied to Hillary Clinton's U.S. presidential campaign last year, signifies an expansion of the goals of these and other attackers that extend beyond trying to influence the outcome of foreign elections.
The attacks on political parties in the United States, France, Germany and other nations, ostensibly by the Russian hacking group tied to the Kremlin known as APT28, seek to collect damning or embarrassing details about candidates to damage their campaigns for high office. The disparaging data can be spread through traditional and social media.
"We live in a hyper-connective world, where reputation is critical to companies and organizations."
Trend Micro Chief Cybersecurity Officer Ed Cabrera said in an interview that these tactics also could be employed against non-political entities, especially businesses, to harm the victims' reputations.
"We live in a hyper-connective world, where reputation is critical to companies and organizations," said Cabrera, whose company - an IT security software maker - published a report this week on the Russian hacking group targeting Clinton and Macron. "Anywhere you can actually disrupt or damage somebody's reputation, for dollars or cents or effecting elections," hackers will continue to exploit the situation.
These types of hacks should be disconcerting to IT and IT security practitioners because they muddle the concept of trust, an important element of cybersecurity. "There are some fundamental issues about trust that have been exposed and we need to investigate, how we communicate with each other, how we determine what is a trusted source, what is trusted information," said Gene Spafford, a Purdue University computer science professor with courtesy appointments as professor of communications, philosophy and political science.
70 Organizations Targeted
The Trend Micro report identified more than 70 organizations since 2013 targeted by Pawn Storm, its name for APT28, using phishing schemes. The most recent ones occurred March 15 and April 5, against the Macron campaign and Konrad Adenauer Stiftung, a German political party, respectively. Besides political organizations, Trend Micro identified foreign militaries, defense ministries, defense contractors, media outlets, academia and government agencies targeted by Pawn Storm.
Macron, a political moderate running as an independent, captured 24 percent of the vote in last Sunday's first-round of France's presidential election, with the far-right candidate Marine Le Pen garnering 21.3 percent of cast ballots. They face a runoff election on May 7.
To create political havoc in the West, Russian President Vladimir Putin is believed to support Le Pen over Macron, as he purportedly backed Donald Trump over Clinton in the U.S. presidential election. The Trend Micro report gives credence to that perception as the Kremlin seeks to influence the French election outcome as it tried to sway the American election last fall.
Refining Existing Tactics
Trend Micro's Cabrera said Pawn Storm isn't using new tactics but refining existing ones such as spearphishing.
The group also employs decoy phishing domains with URLs similar to real ones. The Trend Micro report identified one of those fake sites as onedrive-en-marche.fr, it's URL based on Macron's political organization called En Marche.
Trend Micro identifies one of the tactics Pawn Storm uses as "tabnabbing," a term coined in 2010 by security researcher and interface designer Aza Raskin. Tabnapping coaxes users to submit their credentials by impersonating other and often popular sites, such as one operated by the Macron campaign.
The attack exploits user trust and inattention to detail in regard to browser tabs, and the ability of modern web pages to rewrite tabs and their contents after the page is loaded. Unlike most phishing attacks, tabnapping doesn't require users to click on an obscured link but instead loads a fake page in one of the open tabs in a browser. After clicking the tab, the page asks the user to re-login, allowing the hacker to steal the user's credentials.
Persistence Pays Off
"Their sophistication is only as high as it needs to be," Cabrera said of Pawn Storm. "This group over the years has shown more in its creativity and persistence, not only finding new ways to go after their intended targets, but also the time to find what could possibly work, and going at it in many different directions."
Data pilfered by the hackers could be used to extort money from businesses. "We're seeing a shift to publicly outing companies that they're extorting," Cabrera said. "Now with these faster attacks, they're a hit to an organization's brand. They know that they can create criminal lines of business around monetizing this type of fear of brand attack."