A Last Minute Influence Op by Data DDoS

Where there’s smoke, there’s a smoke machine!

Today, just before the legally required 48 hour French media election coverage blackout came into effect, “Someone,” released a 9 gigabyte archive of alleged Macron related emails. This dump has been much anticipated. Just a couple weeks ago I explained the rationale behind the prediction that they would release whatever they had (and it wouldn’t be much) sometime between the first and second elections. At the last minute they came through and released a massive collection of assorted emails and documents from a variety of sources (none of whom is actually Macron) covering a range of topics.

In this post I will examine the release itself, rather than the content (I can’t read French so cannot contribute to the analysis.) Instead, I'll look at:

  • Timing: too late for indepth analysis – or response – before the election
  • Packaging: they know how people consume information online and have constructed the archive to exploit that
  • Tampering?: there are clear indication that some files were accessed and modified (but to what extent is unclear)
  • Volume: this is what a denial of service influence op looks like, a flood of data to exhaust the available analytic resources. This is the exact opposite of the bite sized complete stories supplied to reporters during the 2016 US election.
  • Amplification: the leak was accompanied by a full force of trolls, promoting bullshit narratives and flinging cyber feces at any discussions they could find (many didn’t even bother to change their pro Trump personas.)

Executive Summary

This package of leaked data contains mostly old content unrelated to Macron. The leak was timed to appear just before the media’s election blackout in France, allowing time for the electorate to learn of the leak but preventing political parties or the media from addressing and debunking it.

The leak package is huge – 9Gb – suggesting at a quick glance (all the time anyone had) that there was a lot of scandalous or incriminating content. No such luck. Although this was promoted as #MacronLeaks, there are no emails from Macron. The majority of the package seems to be padding to fill it out.

The archive was intentionally packaged to give the appearance of a data dump containing documents, emails and other recent primary sources regarding Macron. It contains nothing of the sort. The packaging was maliciously crafted to deliberately mislead a cursory reading.

There is direct evidence that some of the documents have been altered from their original source. What actual tampering has been done is impossible to know given only the data supplied by the malicious agency. Some content is highly peculiar – an emailed receipt to an obscure old politician for 10 grams of 3MMC, purchased with Bitcoin, to be shipped direct to the National Assembly!

With the release and amplification, the malicious agents were able to promote the idea of a huge damning leak brimming with incriminating intel. By timing it right, the media and political parties are unable to debunk the “false leak.” The malicious actors exploited the expectation of a leak using a dump too large to analyze in the time available (unlike previous dumps which have been small enough to be processed by the news cycle.) This clever approach to creating something from nothing relies on the media blackout blocking news of the leak’s fakery. However, during the election blackouts the French turn to Switzerland and Belgian media to provide continuing coverage. I guess this deliberate fake out is gonna turn into the dud it is.

Election Media Blackout in Full Effect

Additionally, the press are specifically prohibited reporting about the data release. With the quantity of data released, and the short time available, it is unlikely that the contents could be verified and analysed in time for the election. There is no meaningful intelligence (data plus context and analysis) that could be produced given the severe time constraints.

It is prudent to block any stories based on the content of the data released today. Hot take stories rushed out based on these emails and documents are likely to be inaccurate, misleading, or even entirely false.

  • There are clear indicators that documents have been altered.
  • Some of the stories are so bizarre they’re either fabricated or require considerable journalistic legwork.
  • The volume of archive is intentionally prohibitive, suggesting that the leakers seek to overwhelm, to flood, the analytic resources in the short time available.
  • The packaging is intentionally misleading, suggesting that the release of the data is malicious, and raising serious doubts about the authenticity of its content.

Hacking Headlines for Fun and Profit

People¹ consume online² information in a very shallow³ way. Most read only the headline. A subset reads the first paragraph. A subset of them will skim the rest of the article, looking for visual hooks: bold or highlighted text, bullet points, pull quotes. A minority will engage in active critical reading. Online media organisations are adept at exploiting this reading style and create content specifically tailored to it.

As the Summary, so the Headlines

An important lesson demonstrated by Wikileaks’ presentation of the Vault7 data⁴ is that people, journalists included, mostly read the summaries rather than the primary sources. The summary is very likely to be foundational source for the article. A carefully written summary crafted to mislead the reader has a strong chance of directly influencing the media’s reporting of the primary sources. It’s faster and easier to trust the summary (or press release) than to actually analyse the documents.

Indeed, reporters can be so lazy that they simply cobble together articles using cut and paste snippets from the press release. This garbage chute method of writing is derisively called churnalism, but many non technical journalists can easy fall prey to deferring to “the specialist.” This happened frequently with the Vault7 releases, where the hyperbolic summaries were quoted verbatim even when they weren’t supported by the primary sources – available in the same post!

Wikileaks omitted or downplayed basic facts which cast the CIA’s cyber capabilities in a very unflattering light. – the tools, techniques and procedures where copied from public research released by the infosec community.

Wikileaks deliberately used emotive language and elided important information such as “uses a repurposed jailbreak tool” to get more of your time and attention. They skewed and framed the narrative: “The CIA May Be Spying On You Through Your TV!” In fact, Samsung, is spying on you through your TV, but if you’re super “interesting” the CIA might piggyback on that functionality as well. An important story (IoT brings surveillance capitalism into the home) is buried for a fleeting pearl clutching “Spy Agency Does Its Job” high valence hit.

You’re all familiar with clickbait techniques – they can be used, effectively, for info ops.

_______

¹ No, not all people

² Yes, offline too

³ No, this is not “news”

⁴ CIA operational tools for cyber enabled collection (e.g. piggybacking on Samsung Smart TV functionality to create an audio bug)

Packaged For Skimming Not For Reading

The directory name Macron_201705/ suggests that the contents will be related to Macron and from May 2017. Instead it contains documents about Gemplus (an earlier name of SIM manufacturer Gemalto), and the dates are from 2002, not 2017. For the record, Macron was a 25 year old student in 2002. Whatever damning “evidence” is in those files, it hardly has any baring on Macron the presidential candidate.

Intentionally Misleading

The only thing that is crystal clear is that the people who prepared the package intended to mislead the casual reader, implying that there was significant recent fresh data about Macron. The folder name implies evidence of something recent and nefarious involving Macron. The folder name is a lie. The appropriate name is: Archive_2002_Gemplus.

Not Exactly Cleanroom Analysis

There is clear indisputable evidence that some of the documents have been altered. It is not possible to determine to what extent these documents have been tampered, but it is immediately evident that the collection, analysis and packaging was not done to rigorous digital forensics standards. There is no chain of custody showing where and when the data was collected, preserved (with multiple hash sums), and how it was analysed.

Without a chain of custody (something no intelligence agency would ever provide), or an original copy for comparison, there is no way to determine whether a document – provided by a source with an agenda – has been tampered, falsified or otherwise altered.

These documents are of dubious provenance and have evidence they were altered. They must be treated as suspect, not as gospel. Journalists have to investigate, no one can take the documents at face value.

Not the original French, methinks. Source: Matt Suiche

Create Something from Nothing

The Adversary have, once again, demonstrated remarkable agility and flexibility. This last minute “fake” leak is straight from the 36 Strategems. Faced with a dark horse candidate who:

  • came out of nowhere (little to none existing intelligence on him)
  • arrived late on the scene (very little time for tasking, collection, analysis, etc)
  • formed his own party (rendering the collection against existing political parties useless)
  • too young to be dirty (no politicians had a file on him, like Sarkozy used against Fillon)
  • squeaky clean thanks to youth, a fast track career, (and I suspect: grooming for the role)

This is a nightmare scenario for an intelligence agency on a deadline. Caught off guard by a fast moving, clean politician with no time to locate any dark secrets or prepare a scandal. Then the bastard French start infighting and pull down one of “your” two candidates. The clock is winding down, and although everyone has been expecting an incriminating leak any day now there’s still nothing.

These are the assets the FIS has to work with:

  1. An expectant audience
  2. Nothing worth leaking
  3. An election news blackout for 2 days before the elections
  4. A system for rapidly amplifying news on social media
  5. Decades worth of old intelligence take

Solution:

Playing to the audiences expectations by releasing a leak too massive to be thoroughly analysed in the hours before the blackout. Package old intelligence data into an archive structured to appear like current Macron intel. Craft and amplify short scary narratives allegedly supported by evidence inside the leak – e.g. “Macron was in contact with a Mid East arms dealer, was he selling weapons to ISIS??” (reality: ISIS didn’t exist when the arms dealer sent those emails to someone not-Macron, and Macron was in school at the time.) Use the troll armies to amplify and promote the leak and the narratives. As soon as word of the massive leak, and the incendiary allegations, makes it out into the French consciousness the law will prohibit further analysis or discussion.

This is an ingenious move to create something from nothing. Amazing to watch the grandmasters of active measures at work. Always a chance to learn.

It is unlikely that this gambit will work. In the remaining days before the election the French turn to Switzerland and Belgium for election news. This “false leak” will be revealed for what it is. No matter how good your battle plan is, there’s always a Belgium.

Support more analysis like this.