At least as early as February, France’s intelligence agency warned that Russia aimed to influence the presidential elections in favor of Front National candidate, Marine LePen. Throughout the spring, there already were indications of bots and false amplifiers spreading disinformation about Emmanuel Macron. Election watchers braced for some sort of data dump to dramatically influence the election. But it never came. Then, just 48 hours prior to the election, and just an hour before France’s media outage, Macron’s campaign reported a 9GB breach, with Russia as the main suspect. While this cyber attack has garnered the most attention, it is important to highlight that data breaches are just one component of Russia’s multi-pronged information security strategy. Information operations comprise more than just a cyber attack, and equating the two has been detrimental to defenses and response strategies. A brief summary of the influence operations targeting Macron’s campaign in the lead up to the French elections, and the data dump this weekend, provides a useful case study as targeted cyber attacks and influence operations threaten to destablize democracies across the globe.
Information Operations != A Hack
Influencing an election and hacking a campaign can be similar but different, and this difference is important as it impacts how organizations prepare their defenses. Definitions could add great clarity, and are essential well beyond wonky semantic debates on the Hill. Facebook’s recent paper on information operations is a very useful starting point, and defines (page 5) information operations as, “Actions taken by governments or organized non-state actors to distort domestic or foreign political sentiment, most frequently to achieve a strategic and/or geopolitical outcome. These operations can use a combination of methods, such as false news, disinformation, or networks of fake accounts (false amplifiers) aimed at manipulating public opinion.” The only reference to hacking is account hacking, and the authors avoid semantic laziness by providing the concrete parameters of the various aspects of influence operations, additionally defining false news, false amplifiers, and disinformation. With its large role as a social media platform, Facebook is in a unique position to help provide clarity to a broader audience, which is desperately needed.
Facebook’s taxonomy is also fairly consistent with the U.S. military doctrine, which views cyberspace as a domain within the information environment, and cyberspace operations are just one of many information-related capabilities to achieve the desired objective. Cyberspace increasingly is the medium in which information operations occurs. When it comes to cyber attacks, the National Institute for Standards and Technology defines a cyber attack as, “An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.” These are useful distinctions when looking at the nuanced and varied objectives of adversaries.
Information operations are multi-faceted efforts to influence, and similarly attackers possess a range of objectives when conducting cyber attacks. At times they are mutually exclusive, such as when IP theft occurs for espionage (cyber attack, but not an information operation), or when bots spread disinformation (information operation without a cyber attack). Since the United States presidential election, there continues to be a constant flow of reports and articles decrying election hacking. Most of these reports conflate information operations and cyber attacks. There has yet to be evidence of tampering of any voting devices, but there were the infamous compromises of DNC and DCCC emails, which does constitute a cyber attack. Most also agree that Russia did attempt to influence the US presidential election, just as they had done previously elsewhere, as part of an information operations campaign.
Unfortunately, when discussing current events, these semantic nuances are lumped together for simplicity, confounding a broad range of information operations activities as ‘hack’. This not only perpetuates theoretical underdevelopment within the community, but it hinders advancements in defenses and incident response planning. It also impacts policies, which in the United States at least, are often several decades old and could greatly benefit from modernization.
Modus Operandi for Information Operations
How do the various aspects of information operations work together and what role do cyber attacks play? The French election provides a useful heuristic to explore some of the key aspects of multi-faceted information operations campaigns, such as those linked to Russia.
Cyber Attacks
For months prior to the election, Macron had been accusing Russia of attempting to compromise his campaign, but never provided evidence. Understanding that his pro-EU stance made him a likely target of Russian information operations, Macron’s campaign took information security seriously and remained on high alert. In late April, a Trend Micro report described how a Russian group (they dub Pawn Storm, aka APT 28, Fancy Bear and several other alias) created fake websites to harvest credentials. Macron’s digital chief confirmed the attempted intrusions, but also that they were thwarted. Just over a week later, and within hours of the election, Macron’s campaign confirmed a massive breach of internal communications. Targeted attacks such as this for data exfiltration, destruction, or a number of other objectives are only increasing.
Bots as False Amplifiers
For information operations, the computer attacks alone are generally not sufficient if they do not reach a broad audience. By one estimate, over this past weekend, 40% of #MacronGate tweets were produced by 5% of the accounts. #MacronLeaks reached 47,000 retweets in the first three hours following news of the hack. This amplification online helped move the meme from the United States to France, which, by law, was entering a moratorium on commentary on the French election. Even before the hack, Macron was targeted by social bots. The Digital Forensic Research Lab articulated how Russia was using bots as false amplifiers against the Macron campaign, greatly expanding the reach of the French-language version of Russian state-sponsored news outlets Sputnik and Russia Today. According to their analysis, this amplification is not an anomaly, but has persisted for at least six months.
False News & Disinformation
Disinformation campaigns are nothing new. However, thanks to bots, social media, and the apparent appeal of clickbait, false news and disinformation are reaching a broader audience and finding more success in today’s tech and social environment. For instance, Sputnik’s French-language version, under the auspices of fair reporting, repeatedly published biased reporting against Macron or in favor of LePen. RT and Sputnik ramped up negative coverage of Macron as the race drew closer, including unsupported allegations against his personal life and portraying him as an agent for the US banks. Finally, following the final presidential debate, Macron filed a lawsuit against the false information presented by LePen during the debate. She failed to provide any evidence, and demonstrates that as the respective parties and their leadership reiterate false information and treat it as a truism, it increasingly becomes accepted.
Preparing for Targeted Attacks
How organizations prepare for and respond to targeted attacks can greatly impact the extent of the damage. Understanding the attacker, and their objectives, is a first step as there are often lessons learned to help inform a baseline defense. For instance, the French broadcasting company, TV5Monde, was almost destroyed in 2015 by a digital attack. First attributed to ISIS, a Russian group (the same APT 28) has been linked to the highly targeted attack that included wiper malware to destroy the company’s systems. Moreover, lessons learned from Russian information operations during the U.S. elections also served as a guidepost as to how they combine cyber attacks, bots and false information. Organizations - especially political campaigns - must be aware that targeted attacks are going to compromise eventually and be prepared to remediate through both technical response as well as public relations (for the private sector) or policy (for the public sector) responses.
With that back drop in mind, the French government and the Macron campaign both remained on heightened alert throughout the election. From suspending overseas electronic voting to Macron’s preemptive warnings that his campaign was under attack, the French public was well-aware of the chances of a data breach, as well as wary of the intent of the attackers. The media also adhered to a blackout, limiting the reporting of the data dump that has been perceived as nothing (to date) out of the ordinary. As for the Macron campaign itself, they were well aware of the spearphishing approach and fake websites established to harvest credentials, and extremely confidential information was not sent via email. As the eleventh hour data dump illustrates, targeted attackers eventually find a way in, and thus remediation must also be in place. This may have even included planting false documents, about which more information is likely to emerge confirming or refuting this speculation.
For campaigns and governments, modernization of outdated policies is essential to tackle the range of cyber attacks and information operations. Following the compromise of emails, the French electoral commission noted that the dissemination of that information is liable to classification as a criminal offense, which also helped contain the information to less respected sources. Current President François Hollande also vowed a response to the attack, but has yet to clarify what that may entail. Macron similarly vowed retaliation, and his foreign policy advisor warned, “We will have a doctrine of retaliation when it comes to Russian cyberattacks or any other kind of attacks." It will be important to keep an eye on how French policy evolves, and if there are lessons learned as Britain and Germany gear up for elections later this year.