17th Mar 2018


Lessons for Germany from the Macron hack

  • Sirota said phishing "is the new reality of political campaigning" (Photo: The Preiser Project)

The way the Macron team defended itself against hackers contained lessons for other political parties in Europe, but experts do not agree whether Russia did it.

Hackers tried to sway the French elections last weekend by leaking thousands of emails online that had been stolen from the campaign team of Emmanuel Macron, the incoming French president.

Thank you for reading EUobserver!

Subscribe now for a 30 day free trial.

  1. €150 per year
  2. or €15 per month
  3. Cancel anytime

EUobserver is an independent, not-for-profit news organization that publishes daily news reports, analysis, and investigations from Brussels and the EU member states. We are an indispensable news source for anyone who wants to know what is going on in the EU.

We are mainly funded by advertising and subscription revenues. As advertising revenues are falling fast, we depend on subscription revenues to support our journalism.

For group, corporate or student subscriptions, please contact us. See also our full Terms of Use.

If you already have an account click here to login.

  • Yampolskiy: "If you've done nothing bad, you've got nothing to hide" (Photo: Matthew Klein)

Speaking on French radio on Monday (8 May), Macron’s IT chief, Mounir Mahjoubi, said the attackers stole the contents of five email inboxes, including from the team’s chief financial officer.

He described one attack as being an email that was purportedly sent from their own press officer which said: “Some recommendations when you talk to the press, download this file as an attachment”.

The file contained malware, but the attack failed because the hacker’s verbal style was too dry.

“She never writes to us like that, this press officer,” Mahjoubi said.

He said the stolen files contained “jokes … tens of thousands of invoices from suppliers … organisation of events,” but “no secrets”.

He also said they contained “fake emails” and “information that we ourselves had sent in counter-retaliation for phishing [hacking] attempts”.

France’s cyber security service, the ANSSI, and public prosecutors and police in Paris are investigating who did it.

But suspicion surrounds Russia, which was already accused of attempting to hack Macron earlier in the campaign and of having hacked German MPs in the run-up to the German elections in autumn.

Aurelien Lechevallier, Macron’s foreign policy adviser, told the Politico news website that France would strike back against such attacks in future.

“We will have a doctrine of retaliation when it comes to Russian cyberattacks or any other kind of attacks”, he said.

Hans-Georg Massen, a German spy chief, said last week that Germany was also preparing to strike back.

“It is necessary that we are in a position to be able to wipe out these servers [foreign IT systems that store stolen information] if the providers and the owners of the servers are not ready to ensure that they are not used to carry out attacks”, he said.

Honey pots

EUobserver spoke to two US cyber security experts who said the way Mahjoubi handled the attacks contained lessons for German or other political parties in Europe.

Dimitri Sirota, the CEO of the New York-based firm BigID, said Mahjoubi was “smart” because he “added noise” to the real information that was available within his systems.

“Creating dummy data is smart because it provides you with the ability to both trace and discredit the leaker”, he said.

He said Mahjoubi also appeared to have used “honey pots” - fake targets designed to attract attacks, containing data that “compromised the attacker”.

Sirota added that political parties should get used to Macron-type attacks in future.

So-called “phishing” targets individuals with fake websites or emails designed to steal their passwords, as opposed to broader attacks designed to bypass firewalls or other cyber defences.

Sirota said that most data was now stored in “clouds,” which are managed by large IT firms such as Yahoo or Google, so that non-phishing hacks would have to penetrate the IT giants’ defences to succeed.

“This [phishing] is the new reality of political campaigning”, he added.

Aleksandr Yampolskiy, the head of the New York-based firm SecurityScorecard, also said Mahjoubi was “clever” because he used “deception technology,” instead of relying on old-fashioned “reactive technology”, such as firewalls or detection intrusion systems.

“You want to shift the cost from the defender to the attacker”, he said.

“You can leave the doors unlocked, but once they get in, they don’t know which documents are real and which ones are fake”, he said.

“If you mix fake dollar bills with real ones, and only you know which is which, it becomes more expensive for the attacker to check which ones to grab”, he said.

He said German political parties should coach their people on “social engineering” and should register internet domain names similar to their own.

Social engineering refers to hackers’ use of people’s personal information, for instance from Facebook, to make phishing attacks more convincing.

Squatting on similar domain names prevents attackers from using lookalike sites to steal passwords.


Flashpoint, another US cyber security firm, told the Reuters and Bloomberg news agencies over the weekend that the Macron attack appeared to have been carried out by Russia.

It declined to give further details when contacted by EUobserver.

Sirota said it looked like Russia did it because the country had used similar methods in the US election last year and because it had also tried to harm Macron in overt ways, such as via Russian state propaganda.

“If it looks like a duck, walks like a duck, and quacks like a duck, it’s probably a duck”, he said.

Yampolskiy and other experts were more cautious, however.

With Macron also targeted by far-right activists in the US and UK, Yampolskiy said the attack was not that hard to do.

“You would not need sophisticated state machinery to do this - just one or two people with phishing expertise could pull it off”, he said.

He said the fact that some of the documents contained Russian names in their metadata did not mean that Russia did it because that kind of information was easy to plant in order to try to confuse investigators.

“If you come back from work and you see your window broken, you walk inside and you see a business card that says ‘Aleksander Yampolskiy’ - it doesn’t mean that it was me”, he said.

He added that investigators should publish all the details of the attack so that cyber security experts could conduct a “peer review” of their findings, in the same way that scientists treat each other’s research in academia.

Trend Micro, a Japanese-based firm which linked Russia to earlier French and German hacks, also said the evidence in this case was inconclusive.

“The techniques they’ve [the Macron attackers] used in this case seem to be similar to previous [Russian-linked] attacks. [But] without further evidence, it is extremely difficult to attribute this hack to any particular person or group”, Trend Micro said in a statement to EUobserver on Tuesday.

Strike back?

Amid the lack of certainty, Sirota and Yampolskiy said talk of striking back at Russia or other suspects was premature.

Sirota said “the amount of evidence you would need to go on the offensive would be quite significant”.

“Unless you’re absolutely certain, it’s hugely risky for a country to do that”, he said.

Yampolskiy said the “hack-back” approach was too dangerous because it could achieve nothing and could start a cyber war.

Destroying foreign-based servers, he said, could not guarantee that the stolen information had not been copied and also stored elsewhere.

“If you go after servers in foreign countries, make sure you don’t live in a glass house”, he added.

“Think about the reaction. The [cyber] infrastructure that we operate, at least in the US, is pretty vulnerable … government infrastructure in many countries is not in good shape. If we could do it to them, think what they could do to us”.

Yampolskiy said one other way for politicians to protect themselves against leaks of compromising material was not to compromise themselves in the first place.

"If you've done nothing wrong, you've got nothing to hide", he said.

Anti-Macron leaks try to sway French election

Thousands of documents, some likely fake, were spread by WikiLeaks as well as pro-Trump and pro-Russia social media in the final moments of the French campaign.


Le piratage de Macron, une leçon pour l'Allemagne

La façon dont l'équipe de campagne d'Emmanuel Macron s'est défendue contre les hackers peut servir de leçon pour d'autres partis politiques en Europe, même si les experts sont partagés quand à la culpabilité de la Russie.


Lektionen für Deutschland von Hackerangriff auf Macron

Die Art und Weise, wie sich Macrons Team gegen Hacker verteidigt hat, enthält Lehren für andere Parteien in Europa. Nichtsdestotrotz sind sich Experten snicht einig, ob Russland hinter den Angriffen steckt.


Four years on – but we will not forget illegally-occupied Crimea

Together with many other partners, including the United States, Canada and Norway, the European Union has implemented a policy of non-recognition and sanctions regimes, targeting people and entities that have promoted Russia's illegal annexation.

News in Brief

  1. Sweden emerges as possible US-North Korean summit host
  2. Google accused of paying academics backing its policies
  3. New interior minister: 'Islam doesn't belong to Germany'
  4. Hamburg 'dieselgate' driver wins case to get new VW car
  5. Slovak deputy PM asked to form new government
  6. US, Germany, France condemn 'assault on UK sovereignty'
  7. MEPs accept Amsterdam as seat for EU medicines agency
  8. Auditors: EU farm 'simplification' made subsidies more complex

Stakeholders' Highlights

  1. Counter BalanceConmtroversial Turkish Azerbaijani Gas Pipeline Gets Major EU Loan
  2. World VisionSyria’s Children ‘At Risk of Never Fully Recovering', New Study Finds
  3. Macedonian Human Rights MovementMeets with US Congress Member to Denounce Anti-Macedonian Name Negotiations
  4. Martens CentreEuropean Defence Union: Time to Aim High?
  5. UNESDAWatch UNESDA’s President Toast Its 60th Anniversary Year
  6. AJC Transatlantic InstituteAJC Condemns MEP Ana Gomes’s Anti-Semitic Remark, Calls for Disciplinary Action
  7. EPSUEU Commissioners Deny 9.8 Million Workers Legal Minimum Standards on Information Rights
  8. ACCAAppropriate Risk Management is Crucial for Effective Strategic Leadership
  9. EPSUWill the Circular Economy be an Economy With no Workers?
  10. European Jewish CongressThe 2018 European Medal of Tolerance Goes to Prince Albert II of Monaco
  11. FiscalNoteGlobal Policy Trends: What to Watch in 2018
  12. Human Rights and Democracy NetworkPromoting Human Rights and Democracy in the Next Eu Multiannual Financial Framework

Latest News

  1. Brexit and trade will top This WEEK
  2. Dutch MPs in plan to shut EU website on Russian propaganda
  3. Four years on – but we will not forget illegally-occupied Crimea
  4. Evacuated women from Libya arrive newly-pregnant
  5. Merkel in Paris for eurozone reform talks
  6. Commission rejects ombudsman criticism over Barroso case
  7. Western allies back UK amid Russian media blitz
  8. Meet the European Parliament's twittersphere

Stakeholders' Highlights

  1. Mission of China to the EUDigital Cooperation a Priority for China-EU Relations
  2. ECTACompetition must prevail in the quest for telecoms investment
  3. European Friends of ArmeniaTaking Stock of 30 Years of EU Policy on the Nagorno-Karabakh Conflict: How Can the EU Contribute to Peace?
  4. ILGA EuropeCongratulations Finland!
  5. EUobserverNow Hiring! Sales Associate With 2+ Years Experience
  6. EUobserverNow Hiring! Finance Officer With Accounting Degree or Experience
  7. UNICEFCyclone Season Looms Over 720,000 Rohingya Children in Myanmar & Bangladesh
  8. European Gaming & Betting AssociationEU Court: EU Commission Correct to Issue Guidelines for Online Gambling Services
  9. Mission of China to the EUChina Hopes for More Exchanges With Nordic, Baltic Countries
  10. Macedonian Human Rights MovementCondemns Facebook for Actively Promoting Anti-Macedonian Racism
  11. Nordic Council of MinistersGlobal Seed Vault: Gene Banks Gather to Celebrate 1 Million Seed Collections
  12. CECEIndustry Stakeholders Are Ready to Take the Lead in Digital Construction

Stakeholders' Highlights

  1. ILGA EuropeAnkara Ban on LGBTI Events Continues as Turkish Courts Reject NGO Appeals
  2. Aid & Trade LondonJoin Thousands of Stakeholders of the Global Aid Industry at Aid & Trade London
  3. Macedonian Human Rights MovementEuropean Free Alliance Joins MHRMI to End the Anti-Macedonian Name Negotiations
  4. Mission of China to the EUChina-EU Tourism Year to Promote Business and Mutual Ties
  5. European Jewish CongressAt “An End to Antisemitism!” Conference, Dr. Kantor Calls for Ambitious Solutions
  6. UNESDAA Year Ago UNESDA Members Pledged to Reduce Added Sugars in Soft Drinks by 10%
  7. International Partnership for Human RightsUzbekistan: Investigate Torture of Journalist
  8. UNICEFExecutive Director's Committment to Tackling Sexual Exploitation and Abuse of Children
  9. Nordic Council of MinistersState of the Nordic Region 2018: Facts, Figures and Rankings of the 74 Regions
  10. Mission of China to the EUDigital Economy Shaping China's Future, Over 30% of GDP
  11. Macedonian Human Rights MovementSuing the Governments of Macedonia and Greece for Changing Macedonia's Name
  12. Swedish EnterprisesHarnessing Globalization- at What Cost? Keynote Speaker Commissioner Malmström