The campaign team of French presidential candidate Emmanuel Macron says it has been the victim of a “massive and co-ordinated” hacking operation ahead of Sunday’s election.
Around nine gigabytes of data were posted online to Pastebin, a document-sharing site that allows anonymous posting. It was not immediately clear who was responsible for releasing the files.
The documents, posted on Friday night, appeared to contain details of emails and financial data from Mr Macron’s En Marche! campaign. Publication of the documents by the media could lead to criminal charges as the campaign has formally ended.
“The En Marche! movement has been the victim of a massive and co-ordinated hack this evening which has given rise to the diffusion on social media of various internal information,” the Macron campaign said.
Campaign officials said the leaked documents merely revealed the normal functioning of a presidential campaign, but that authentic documents had been mixed with fake ones to sow “doubt and misinformation”.
That was backed up by France’s election campaign commission, which said the leaked data had been fraudulently obtained and that it could be mixed with false information.
While the source of the leak was unclear, security experts quickly pointed to the Russian hacking group known as APT 28 — believed by western intelligence officials to be an arm of the GRU, the Kremlin’s military intelligence agency — as the likely perpetrator of the attack.
“Right now, based on what we have done in terms of our investigations in the last few months and based on other information from the cyber community, this is clearly the kind of methodology used by APT 28,” said David Grout, Paris-based director of systems engineering at FireEye, the cyber security firm which has most closely studied the Russian hacking group’s activities.
“It’s a little bit too early to definitively say it’s them — there needs to be more forensic work — but the approach is exactly the same . . . it’s a pure [copy] of what happened with Hillary Clinton and the Democratic party in the US.”
The hacking is just the latest twist in France’s most unconventional presidential campaign since the second world war, which has seen the collapse of the mainstream political parties and one candidate hobbled by embezzlement allegations.
Mr Macron is the clear favourite to beat Marine Le Pen in the election on Sunday, with the latest polls on Friday giving him a lead of 23 points. His lead has increased in recent days after a strong debate performance on Wednesday night.
On Friday night, as the #Macronleaks hashtag started to spread on Twitter, some in Ms Le Pen’s National Front party expressed optimism that the leak could help their chances.
Florian Philippot, deputy head of the FN, tweeted “Will Macronleaks teach us something that investigative journalism has deliberately killed?”
Sylvain Fort, the spokesman for Mr Macron in a response on Twitter, called Mr Philippot’s tweet “vile”.
Simon Kuper: The battle for the idea of France
Liberté, égalité or stay away? French voters prepare to abstain
Macron v Le Pen: battle of the policies
Interactive: FT French presidential election poll tracker
On Friday night, WikiLeaks, the group founded by Julian Assange — responsible for a series of leaks in recent years — tweeted: “A significant leak. It is not economically feasible to fabricate the whole. We are now checking parts.”
The US intelligence community has repeatedly blamed the APT 28 for the hacking and leaking of emails from the Democratic Party in an operation designed to subvert the US presidential election last year.
Mr Grout said there were nonetheless a number of interesting ways in which the Macron campaign attack was different. “The timing of the leak raises a lot of questions.”
Security experts see the attack against Mr Macron’s campaign as being uncharacteristically hasty: its work against the Democratic campaign in the US and intrusions into other institutions were months in the making.
Western intelligence officials and analysts are wrestling with a number of competing theories.
One interpretation suggests the lateness of the leak is a tactical mis-step on the hackers’ part — or else is evidence of their inadequate planning for a Macron candidacy.
A British intelligence official said Mr Macron’s rapid rise to prominence, had caught the Kremlin off guard. Russian intelligence appeared to have previously de-prioritised the French elections, he said, because it had assumed both frontrunners would be broadly sympathetic to Russian interests.
A second theory is that the leak is not intended to actually derail Mr Macron’s campaign, but rather to more broadly weaken the credibility of the whole electoral and presidential system by sowing doubt and discord.
A third theory is that timing the leak to occur right before the news blackout was perfectly deliberate: while francophone mainstream media will be unable to publish fact-based reporting on the leaks, conspiratorial stories generated elsewhere on the web and propagated through fake-news channels will populate social media channels such as Facebook and Twitter.
Mr Grout said analysts were tracking the spread of fake news stories about Mr Macron linked to the leaks through a number of known social-media troll networks.
“We’ve already seen, since about 1am last night, the systematic propagation of content linked to the leaks. It looks like some of the material is originating on the dark web, and from there it spread to the 4chan forum.
“And from there it spread out to several big twitter accounts.” Many of those accounts, said Mr Grout, are pro-Trump, and have been previously linked to the dissemination of material leaked by APT 28.
Various media reported that the #MacronLeaks was first spread by Jack Posobiec, a pro-Trump activist whose Twitter profile identifies him as Washington DC bureau chief of the far-right activist site Rebel TV.
In recent months, APT 28 has ramped up its efforts to compromise the computer networks of European political parties, intelligence officials have previously told the Financial Times.
According to cyber security company Trend Micro, which published a report on the group’s activities earlier this month, APT 28 began so-called phishing and watering hole attacks against the Macron team in March.
Mr Macron’s campaign has previously accused Russia and its state-owned media of using hacking and fake news to interfere with the presidential race.
Moscow has consistently denied interfering in foreign elections or any connection to APT 28.
But Russia has been open about its sympathies for Ms Le Pen, who advocates closer ties, an end to EU sanctions enforced following the invasion of Ukraine, as well as the withdrawal of France from Nato.
The FN leader had a public meeting with Russian president Vladimir Putin earlier this year, and Russia’s state media, including French and English-language channels, have been producing content in support of her candidacy for weeks.
The group APT 28 perpetrated a number of high-profile, boundary-busting digital assaults on western targets before its penetration of the Democratic Party, the most notable of which occurred in France.
In April 2015, the group launched operations against the leading French satellite broadcaster TV5Monde, aimed at destroying the company.
The group came close to succeeding — and was thwarted only after an off-duty technician who happened to be working late recognised the attack and physically pulled a plug from the wall to the server through which it was being routed.
The group is also responsible for dozens of attempts to compromise the computers and personal accounts of senior diplomats and military officials working for Nato — and has more recently turned its sights on EU institutions too.