Professional Documents
Culture Documents
It's been a very familiar feeling reading about the documents leaked to impact the elections in France tomorrow.
Oen the best defence is to have a proper understanding of what has happened. A quick dra timeline of events from an analysis of document
meta-data and forum posts is below.
It appears they were registered in two stages - first in the middle of March, then more in the middle of April. The links between these attacks and
others in the US elections is strong. I haven’t seen a definitive link that the documents leaked yesterday were the result of these attacks in March
and April, but it seems a likely scenario.
These were edited by a Russian language version of Microso Excel. About half recorded a user named "Рошка Георгий Петрович / Roshka Georgy
Petrovich" performing the edits.
It's suspicious that these documents, some which were created over ten years ago, were all edited so recently during the same 4 minutes. It
suggests the edits may be following their the, not before.
Before linking any individual to these attacks though it's important to note:
Similar previous mail dumps have included a mix (https://twitter.com/RidT/status/860769446083911681) of real and fake information, and the
Macron campaign have also said that the dump is a mix of real and fake documents. It's important to keep that in mind – particularly when you see
e-mails in the dump suggesting that politicians have bought drugs online.
These suggested that Macron had secret bank accounts. The post was made by a user from a Latvian IP. The geolocation is likely incorrect and the
“Latvian” poster themselves said they were connecting through proxies from another location.
The documents were picked up by fringe news sites quickly, and Le Pen made (https://www.theguardian.com/world/2017/may/04/emmanuel-
macron-files-complaint-over-marine-le-pen-debate-remark) similar claims during the live debate against Macron that night.
It wasn’t long before some suggested the documents looked like they had been photo-shopped
(https://twitter.com/TurcanMarie/status/860038174579576833). The “Latvian” poster claimed the problems were due to the how the copies were
obtained - by taking photos of the documents "in a short window perhaps only a couple minutes long" with "covert physical access".
https://cybersecurity.att.com/blogs/labs-research/macronleaks-a-timeline-of-events 1/4
15/03/2020 MacronLeaks – A Timeline of Events | AT&T Alien Labs
Meta-data (https://bivol.bg/en/canon-for-macron.html) of the documents showed they were scanned by two very expensive printers around the
same at 08:22 that Wednesday morning (all times in this post are in UTC). This could match two people working in an office. The time zone of the
scans was set to UTC-4 - which would in fact match a bank in the Caribbean. This could be a legitimate timestamp of when they were scanned, fake
information, or le in despite later edits.
Ominously they referred to what were likely the documents that came out later that day, providing evidence the leak of documents on Wednesday
and Friday were by the same people:
"We will soon have swinet logs going back months and will eventually decode Macron's web of corruption"
"Also if Macron wins we're gonna have to organize and make things happen. The French scene will be at nouveaumartel.com later."
This has possible parallels to the US elections. Many saw the leaked documents then as attempts to weaken Hilary Clinton had she won as expected
- as much as to reduce the chances of her election. Currently the site nouveaumartel[.]com (registered in November 2016) is empty. The “Latvian”
poster responded directly to suggestions they were Russian:
"I am not Russian. I have never been to Russia. I do not speak Russian”
Internet archive logs several pieces of information when you upload a file, and recorded that:
The files remain available on the Internet Archive. They oen take time to remove files and were even banned in Russia for not taking down
extremist content promptly.
https://cybersecurity.att.com/blogs/labs-research/macronleaks-a-timeline-of-events 2/4
15/03/2020 MacronLeaks – A Timeline of Events | AT&T Alien Labs
This was twenty minutes before the links to the archives were posted on Pastebin. Disobedient News was also the first to tweet links to the archives
aer they were shared on 4Chan, and have been linked (https://medium.com/dfrlab/hashtag-campaign-macronleaks-4a3870c4e8) to being
key to spreading the news.
At 17:59 the links to the files on internet archive were posted to Pastebin (http://archive.is/eQtrm) and then shared on 4Chan 30 minutes later:
This time the post is from an IP address in the US, unlike the other posts which were from an IP in Latvia. The poster says the documents were
"passed on" to them that day, and that they were trying to share them with Wikileaks but they were "too slow".
A possible reading of the timeline is that the attackers uploaded the files to internet archive, then another party spread the information on 4Chan
and elsewhere.
What next?
The impression on the 4Chan boards, the so-called "armpit of the internet", is that this is all a game.
But the effects of repeated attacks against political parties is serious. It's unlikely those orchestrating these attacks would have the best interests
of those happily spreading their output at heart.
The French elections will be over Sunday, but it's unlikely these types of attacks will be. Related attacks targeting
(http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks/)
German political parties for the upcoming German elections have already been identified.
(https://cybersecurity.att.com/blogs/author/chris-doman)
About the Author: Chris Doman, AlienVault
I've had a long interest in security, but joined the industry aer winning the civilian section of the
Department of Defense's forensics competition. I run a popular threat intelligence portal
(ThreatCrowd.org) in my spare time, and hold a CCHIA (Certified Host Intrusion Analyst) from CREST and a
degree in Computer Science from the University of Cambridge.
https://cybersecurity.att.com/blogs/labs-research/macronleaks-a-timeline-of-events 3/4
15/03/2020 MacronLeaks – A Timeline of Events | AT&T Alien Labs
(/blogs/tag/4chan)
(/blogs/tag/4chan)‹ BACK TO ALL BLOGS (https://cybersecurity.att.com/blogs/labs-research)
WHITE PAPER
The Essential Guide to Secure
Web Gateway (/resource-
center/white-papers/essential-
guide-to-secure-web-gateway)
WHITE PAPER
Evaluator’s guide for managed
detection and response (MDR)
services (/resource-center/white-
papers/mdr-evaluators-guide)
https://cybersecurity.att.com/blogs/labs-research/macronleaks-a-timeline-of-events 4/4