French citizens will take to the polls on April 23rd to vote for a new president. If, as expected, no candidate wins a majority, then a run-off election between the two top candidates will be held on May 7th. Since reports of network intrusions against political parties during the 2016 United States presidential election surfaced last year, it has become customary that any analysis of an upcoming western political election forewarns of the threat of foreign nation-state interference.

In the French case, intelligence sources claimed in January that Kremlin-backed actors were conducting an influence campaign in favor of Marine Le Pen of the Front National, while discrediting her competitors, particularly the pro-EU and centrist candidate Emmanuel Macron. Macron’s camp have pointed to media reports from Russian news outlets as examples of “fake news”. They have also claimed to have been subjected to numerous cyberattacks against their campaign systems, though these remain unconfirmed.

Sputnik Elections

Figure 1: Sputnik article referred to by Macron camp as “fake news” [Source: Sputnik]

Although we have yet to detect any confirmed examples of cyberattacks (or influence operations?) associated with the French election, we can look back at activity seen during previous elections – particularly those in the United States and Netherlands – as useful indicators for the type of activity we can expect.

1. Network intrusions

Actors may choose to target political parties or government organizations in similar ways to the reported network intrusions against the Democratic party in the United States. Moreover, large financial bodies may be targeted given their pivotal role in the French economy and, by extension, any future policy decisions by the French president, particularly in light of the uncertainty surrounding France’s membership in the European Union.

Network intrusions would likely be conducted for intelligence-gathering purposes, potentially with a view to releasing sensitive information public as part of an influence operation designed to discredit a political candidate. Based on previous examples of network intrusions we have observed; social engineering and spear-phishing continue to be the most successful vectors of attacks – a trend that was assessed as highly unlikely to change for the foreseeable future.

2. Public data leakage

An ideologically motivated actor may attempt to release sensitive or confidential information citing freedom of information and the fulfilment of a public service. Obtaining information for the purposes of public data leakage can be achieved in a variety of ways, including phishing and social engineering attempts, network intrusions and data exfiltration, inadvertent exposure through public facing databases and applications, or even document theft from insiders.

In Feb 2017, it was reported that WikiLeaks founder Julian Assange had claimed to be in possession of information that could potentially damage the election prospects of Emmanuel Macron. Assange claimed the information had been obtained from the cache of emails belonging to Hillary Clinton. It was not known whether WikiLeaks planned to release this information, though this was assessed as likely given Assange’s public overtures.

3. Hacktivism

Hacktivist actors are most often motivated by of public attention, either for themselves or the issues they claim to represent. Hacktivist attacks generally take the form of DoS attempts, website defacements and public data leaks achieved through techniques such as SQL injection. In addition to this, other forms of tactics included “tweet storms” (a method whereby tweets from multiple Twitter accounts sympathetic to an ideology would direct messages at certain targets, or attempt to start a trend on social media platforms) and other attempts to raise awareness to a cause on social media. At the time of writing we did not detect any hacktivist campaigns established specifically for the 2017 French elections.

4. False media reporting

The dissemination of false information might allow threat actors to influence public opinion or discredit a particular candidate. Such activity would likely occur across a wide variety of media including established online publications, spoof news sites, or through fake social media profiles on LinkedIn, Facebook and Twitter. The South American hacker Andrés Sepúlveda, for example, was reportedly responsible for a series of covert influence campaigns across elections in Latin America. Sepúlveda and his team purportedly managed thousands of fake profiles on social media to shape the discussion around political topics and even hack the cell phones and emails of candidates.

On 02 Mar 2017, the Belgian newspaper Le Soir claimed it had been the victim of plagiarism after an impersonation of its website published an article alleging that Saudi Arabia was financing Emmanuel Macron’s campaign. The false article claimed to be a dispatch from Agence France-Presse, appearing on the domain lesoir[.]info, a typo-squat of the legitimate lesoir[.]be.

 False Le Soir Elections

Figure 2: False Le Soir article retweeted by Marion Le Pen, member of Front National, official Twitter account [Source: CrossCheck]

While it remains to be seen if many of the above scenarios materialize, the threat of increased cyber activity during election periods is one that organizations with ties to government or political institutions will have to consider for the foreseeable future. As such, organizations can help protect themselves through several methods.

  1. For starters, adequate phishing training can help mitigate against cases of network intrusion and public data leaks, as social engineering and phishing attempts were assessed to be the most likely, though not the only, vectors of attack.
  2. Properly securing public facing applications, monitoring for suspicious activity that may be indicative of a company insider threat, identifying instances of fake or spoofed social media profiles, and tracking the emergence of hacktivist actors and dedicated campaigns.