AFTER A HACKED US election covered in Russian fingerprints, it’s easy to assume that Friday’s megaleak of emails from France’s president-elect Emmanuel Macron was the Kremlin’s work, too. Russia, after all, has the motive, the means, and a very fresh track record of meddling in Western elections to sabotage center-left candidates. But this latest breach, for now, lacks conclusive fingerprints—and what few clues there are have only added to the confusion.
On Friday, nine gigabytes of emails from Macron’s En Marche party spilled onto the web in a collection of torrent files. Within hours, the party had issued a statement blaming that leak on hackers intent to disrupt the democratic process. In the days since, armchair cybersecurity analysts and the media have been quick to conclude that the attack and data dump must have been the work of the same Russian hackers who plagued the US election last summer and fall.
But outside observers who have examined the digital evidence say it’s still too early to draw that conclusion. And doing so not only helps other countries and non-state hacker groups who might use Russia as cover, but also cheapens the act of accusing Russia in cases where the evidence is far stronger—like in last year’s brazen US election interference.
Plenty of clues do point to Russia as the source of the Macron leaks. But unlike in the case of the US election, those clues don’t yet add up to a clear, glowing trail to Red Square, says Thomas Rid, a professor at King’s College London department of War Studies. “I do think this is more likely than not a Russian operation, but I’d put this at more like 60 percent at this stage,” says Rid, who recently testified at a Senate hearing about Russian interference in the US presidential election. In that case, by contrast, Rid says he has zero doubt that the Kremlin—and specifically a hacking group known as Fancy Bear, or APT 28—was the culprit. But in the Macron case, Rid says, “none of the pieces of evidence that has come out so far is particularly strong in forensic terms. We only have circumstantial evidence. We can’t exclude the possibility that someone is trying to frame someone else.”
A stronger case exists that Russian hackers at least tried to hack the Macron campaign. Late last month, the security firm Trend Micro revealed that the Fancy Bear hacker group, which it calls Pawn Storm, had registered a phishing domain in March designed to impersonate a Microsoft file storage URL for Macron’s party. At the time, En Marche denied that phishing attempt had been successful. And on Monday, even Trend Micro wouldn’t definitively link the pre-election leak with the earlier Russian efforts.
“Trend Micro does not have evidence that this is associated with the group known as Pawn Storm,” the company wrote to WIRED in a statement. “The techniques used in this case seem to be similar to previous attacks. However, without further evidence, it is extremely difficult to attribute this hack to any particular person or group.”
Some of the leaked Microsoft Office files contain an even stranger clue: Cyrillic-character metadata, suggesting they were opened at some point by a computer with Russian-language software settings. The Twitter feed for WikiLeaks points to nine instances in the metadata of the name Roshka Georgiy Petrovich, reportedly an employee of the Russian intelligence contractor Eureka. But that apparent metadata slipup was so clear that some cybersecurity analysts discount it as a possible misdirection technique.