Don’t Info Op Until You See The Whites of Their Eyes

Why the anti-Macron influence op should start now

thaddeus t. grugq
Apr 24, 2017 · 6 min read
I can’t take credit for the idea, but I’ll explain the rationale.

The first round of the French election is just about over and it looks like Macron beat Le Pen by about a million votes. This is a bit of an upset against the polls which had them almost neck and neck with Le Pen in the lead, so now the real race will begin. Macron vs. Le Pen, for the second round.

Macron is an interesting character in that there is so little to him. He is basically too young to have a proper sordid history in politics (like Fillon and his petty corruption of giving his family members tax payer funded “jobs.”) Macron is also married to a nice lady (she is his former school teacher, combined with the two decade age difference, makes some suspect that there must be something scandalous there — rumours that Macron is gay and his wife just a beard have been swirling.)

The thing about the French is, they don’t really care about any of those things too much. Petty corruption like Fillon’s is expected of their politicians, and being homosexual and a politician is hardly scandalous by French standards. So far all I’ve heard from my French friends is that they are mostly upset that Macron is too clean, he doesn’t have enough dirt on him to make him a good politician. They expect some petty corruption, a mistress or two, being a closeted homosexual — something, anything!

Macron came barrelling out of nowhere as the dark horse contender in the election and now it looks like he is going to win. This is important for a few reasons when we look at it from a cyber intelligence led influence operation.

  1. APT28/APT29 were doing significant collection on French political targets in 2016. This was clearly in anticipation of the upcoming election where they would need time to prepare campaigns against whomever they needed to knock out of the way for their favourites.
  2. In late 2016 the expectation was still that the second round election would be between Fillon (pro-Russian) and Le Pen (pro-Russian, anti-EU.) If this came to pass, then the Russians could stand back as it would be a win-win either way.
  3. Enter Macron. He arrived late to the game, with a squeaky clean history, and the sort of impeccable credentials of a groomed political targeted at a top post. He went to the right school (ENA), was a civil servant a few years, held a job at a top bank a few years, became an official in the Hollande administration, and then got a bump up the ladder a couple years later. In 2012 he merited barely two lines of biographical data in State Department cables, yet now he’s likely to become the next French president. Very slick career path.
  4. Macron didn’t enter the election until November 2016. This was extremely late in the game for cyber intelligence operations to begin targeting him for tasking and collection. They’ve had very little time to collect on him, and he appears to be groomed for the role, there is probably not much to dig up.

I don’t believe there will be an exact duplicate of the US election style influence operation. That doesn’t make sense, since the Russians have honed their tradecraft over the last year. France is also not as susceptible because it isn’t as deeply divided between two opposing camps, nor is it as heavily reliant on social media. This makes micro targeting of specific groups for a “cyber defeat in detail” much harder, which was a fundamental part of the US election’s influence operation.

The Timing’s the Thing


  1. Russian intelligence apparatus has had very little time to work on investigating Macron
  2. Almost all the collection work done in 2016 is useless, since it targeted candidates and parties that are no longer in the running
  3. Whatever the Russians could get on Macron in the time available they would not want to squander before the first election (in case it had no effect, which was likely given the poll numbers for their preferred candidates.)

Because there has been no “leaking” or “dumping” before the first round election, the “take” against Macron (and his associates) must be pretty meagre. If it wasn’t meagre, then the Kremlin would have been liberally spreading it around before the first round election in the hopes of damaging Macron early and often (influence operations are a bit like the joke about voting in Chicago, do it early and often.)

Since there has been no leak, there must not be a lot of leak worthy material. QED.

Macron’s Mistakes

There are a number of cybersecurity vulnerabilities and poor strategic decisions that Macron has made with regards to the potential Russian influence operations.

Firstly, Macron and his crew make heavy use of Telegram — I blame the French media for promoting it as an impenetrable fortress protecting Islamic terrorists from security forces. This claim is ridiculous on its face (French jihadis have made heavy use of both WhatsApp and Telegram, and the Telegram users’ have been interdicted pretty frequently.) Telegram is not an “encrypted messenger,” it is a “cloud messenger.” The security is not particularly strong compared with alternatives, and the defaults guide users towards insecure practices. I wouldn’t be surprised if there are Telegram dumps from Macron’s inner circle.

The second error, a strategic mistake, was to announce that he has been the target of thousands of Russian cyber attacks per day. So is everything with an IP address, welcome to the Internet. This early announcement wasted credibility that will be necessary later in the election, and probably in his administration. There is no point freaking out about loads of port scans or whatever coming from Russian IP space. The real concern is the targeted attacks that will have a high likelihood of successfully penetrating the target. Using Google services, Chromebooks, FIDO U2F keys, dedicated iPhones with anonymised Wire accounts and Reservoir Dogs style OPSEC should be sufficient (starting last year.)

Now or Never

With the first round election over, there are only two candidates left on the field:

  • Le Pen — backed by the Kremlin
  • Macron — not backed by the Kremlin

If the Kremlin intends to try to swing the election (which will be quite hard), then whatever the Russian intelligence agencies have been able to collect will have to be used now. The ammunition they have available has to be used at the only time when it might possible have any effect. That time is now.

Strange Bedfellows

The Kremlin and radical Islamic jihadis have a shared agenda in France right now. Both want Le Pen to win the election. There has been a marked uptick in the number of terrorist attacks targeting France this year. Since the start of the year there have been 3–4 jihadi attacks (loon wolf style, with only one being claimed by ISIS), and there have been a further 7 attacks that were interdicted, including one by a two man cell that was likely coordinated with ISIS and well supplied for a deadly attack.

We’ve seen much more [ISIS] plotting since the beginning of the year,” says Jean-Charles Brisard, president of France’s Center for the Analysis of Terrorism. Since the start of 2017, Brisard says, France has foiled seven ISIS plots. — Source

The jihadis want Le Pen because they believe she will antagonise the French muslim population, which will drive recruits towards terrorist organisations. The Kremlin wants Le Pen because she will help weaken the EU as a bloc that can oppose Russian national interests, and possibly for other reasons (confession: I’m a cybersecurity/counterintelligence guy, not a geopolitical analyst.)

What to Expect When You’re Expecting Meddling

Whatever ammunition the Russian intelligence organisations where able to collect will have to be released now. Alternatively, if the chance of effecting the outcome of the election is too remote (which many consider to be the case, especially given Macron’s strong showing in the first round), then it would make more sense for the collection to continue and an attempt made to weaken Macron’s administration. Personally, I suspect that if there is anything at all available now, then they will dump it. Collecting more later will happen anyway.

On a related note, the likelihood of terrorist attacks will definitely increase during this period before the second election. The jihadis know what they want, even without specific direction from the ISIS Core to guide them, they understand the messaging and the basic strategy to achieve The Vision. Any attacks that are successful will almost certainly be loon wolves, rather than cells (given the smothering blanket of SIGINT and HUMINT targeting these guys.) Fortunately, loon wolf attacks are seldom as deadly as coordinated and directed attacks with logistical support.

Negative Narratives

The main themes the Kremlin has been pushing is that Macron is a Rothschild banker, which is apparently a particularly negative connotation for the French. Le Pen has been pushing anti immigration narratives to deal with the French born nationals who commit terrorist attacks (I don’t get it either), and the troll armies supporting her have been heavy on the banker angle. Still, however much the French hate bankers who marry their high school teachers, they appear to hate Kremlin backed nationalist hate mongers more.

Support more analysis like this.

thaddeus t. grugq

Written by

Information Security Researcher :: ::

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade