The Kremlin is behind the hacker attack on the French president.
According to The Insider, published on May 5, the array of hacked correspondence between Emmanuel Macron and his staff revealed a number of letters that were changed by a user named Georgy Petrovich Roshka - this is evidenced by the metadata of the letters.
The documents where The Insider found traces of Georgy Roshka (and there are at least 9 of them) are financial documents of Macron's headquarters, here is one of them:
(to enlarge, click on the image)
The real author of the document, judging by the same metadata, was the treasurer of Macron's headquarters - Cedric O (this is not an abbreviation, but the full name). But then the document was changed by a certain Georgy Roshka. A man named Georgy Petrovich Roshka works at Evrika CJSC, which produces computers and software, whose main clients are Russian government agencies, including the Ministry of Defense and the special services.
For example, it is known that Evrika CJSC received licenses from the FSB to carry out activities to protect state secrets, and also fulfilled contracts for NPO Kvant JSC, which works for the Ministry of Defense. It is "Quant" that is called the key intermediary between the Ministry of Defense and the hackers, and this interaction has been going on since at least 2009.
Georgy Roshka is a programmer who took part in specialized conferences, for example, "Parallel Computing Technologies", which took place in 2014 in Rostov-on-Don. At the time of publication, Rosca did not respond to The Insider's request.
We will remind, yesterday, May 5, the Internet portal WikiLeaks published a link to the hacked correspondence of the French presidential candidate Emmanuel Macron and his entourage, consisting of several hundred thousand emails, photos and attachments, dated until April 24, 2017. The array size is about 9 GB.
Macron's team reported that the documents were obtained a few weeks ago as a result of hacking the personal and work mailboxes of some representatives of the "Forward!" and noted that in addition to real letters and documents, there are also fakes in the array.
Earlier, the Japanese company Trend Micro confirmed that the Russian hacker group Pawn Storm, also known as Fancy Bear and APT28, is behind the cyber attack on Macron's resources (which the headquarters recorded back in February). The same group has previously carried out numerous cyber attacks in other Western countries, including the United States, where the hacked Democratic Party mail was also handed over to WikiLeaks for distribution ahead of the presidential election.
Recall that the founder of WikiLeaks is Julian Assange, who is also known for his show on the Russia Today TV channel.
Note that earlier, a number of independent companies in the field of information security independently confirmed the connection of Fancy Bear / APT28 with the Russian authorities (among them, including Google experts). One of the first was Trend Micro, which discovered a powerful hacker group with a special attack style called Pawn Storm. The company was able to establish that the same group was used both in the attack on the Russian opposition and in the attack on American servers (a number of other companies later confirmed this). A Trend Micro expert spoke in more detail about these attacks in an interview with The Insider.
Earlier, Russian hackers have already been noticed in the fact that in the laid out arrays, real documents are interspersed with fakes. This was the case, for example, when laying out the massifs of the Open Society Foundation by George Soros, where, together with real files, crudely forged documents were posted, designed to create the impression that Alexei Navalny was receiving money from the foundation.
The one engaged in the publication of secret data of the secret services, said that in the meta-data of letters from the headquarters of the French presidential candidate from the movement "Forward!" Emmanuel, exposed by hackers the day before, records with the data of an employee of the Russian company "Eureka" were found.
"The contractor's employee name appears nine times in the leaked xls_cendric.rar archive," the organization said on Twitter.
The message is accompanied by a screenshot of a table with dates. The name appears in it:. In the next post, WikiLeaks cites an article stating that
ZAO Evrika is a supplier of information solutions and a manufacturer of computer technology; the company has received two licenses from the Federal Security Service of Russia, which give the right to carry out activities in the field of protecting state secrets.
“The priority directions of the company's activity are the development and creation of complex information systems, corporate network solutions, production of computer equipment. Regular clients of the company are the State Customs Committee, GUIN, Main Directorate for St. Petersburg, KUGI of St. Petersburg, "- quoted by WikiLeaks, the press service of" Eureka ".
On the evening of May 5, one of the main contenders for the presidency of France, Emmanuel Macron, announced that he had become a victim of a computer hack. In particular, the information contained in all emails of the politician was stolen. In total, about 9 GB of data concerning Macron was posted on the Internet in a profile called EMLEAKS.
The next day, the French Presidential Election Campaign Control Commission urged the media not to publish information that had become known as a result of the hacker attack.
“The chairman of the commission draws the attention of the media to the sense of responsibility that they must demonstrate, since the free expression of votes and the authenticity of the vote are in danger. Thus, he demands from the media and, in particular, from their Internet sites not to report the content of this data, recalling that the dissemination of false information can be prosecuted by law, ”the commission said.
The current President of France, in turn, said that this hack would not go unanswered.
“We knew that there would be similar risks during the presidential campaign, as this has already happened in other places. Nothing will remain unanswered, ”the head of state stressed.
Note that WikiLeaks was previously accused of having links with Russia. In October 2016, citing high-ranking officials of the country, he said that an investigation had begun in the United States regarding suspicions of receiving information from Russia by WikiLeaks.
“As WikiLeaks continues to publish emails from former US presidential candidate Hillary Clinton’s campaign chairman, US officials said more evidence is being gathered that Russia is using WikiLeaks as a tool to publish messages and other stolen information,” the source said. CNN.
At the same time, US intelligence officials began an official investigation into the links between the FSB and WikiLeaks. During the study of the data, they expressed confidence that the Russian special services were behind the leaks. WikiLeaks has not provided any response to these allegations.
In January 2017, Romanian hacker Marcel Lazar, known as Guccifer, who confessed to hacking Clinton's mail, expressed doubts about the accusations by the administration of the previous US president against Russia about Moscow's involvement in cyberattacks.
Dozens of cybersecurity organizations from different countries that have studied the activities of the hacker groups Fancy Bear and Cozy Bear have proved that representatives of these communities operate from large cities in Russia, speak Russian, work according to Russian working hours and attack targets abroad (Clinton, Macron, some European politicians and journalists, NATO objects, goals in Ukraine, etc.).
And now their involvement in the GRU has been proven.
On Thursday, the French government's Information Security Administration said it had not identified any "Russian trace" in the cyberattack on Emmanuel Macron. Vladimir Putin spoke a little more vaguely, saying the day before that if they were Russian hackers, they were definitely not connected with the state. However, as The Insider found out, those who hacked Macron had the most direct relation to the state - they were the current employees of the Main Intelligence Directorate of the Russian Armed Forces.
In early May, The Insider wrote that the name of Georgy Petrovich Rosca was found in the metadata of the hacked letters of French President Emmanuel Macron. At that time, The Insider did not know much about him yet, for example, that he, as an employee of CJSC Evrika, attended a conference on information technologies PAVT-2014, and that Evrika is closely cooperating with the Ministry of Defense. It was also possible to find out that Sergei Zaitsev, who works at the Center for Special Development of the Ministry of Defense of the Russian Federation, traveled to the conference with Roshka (also on behalf of Eureka), and that this center is recruiting employees who are professionally familiar with programming and cryptography.
Evrika officially told The Insider journalists that Roshka had never worked for the company and that no one went to the PAVT-2014 conference on her behalf. Evrika also reported that "in open sources" one can find information that Roshka also participated in the PAVT conference in 2016 and 2017, but "in a different status." In what status, and what kind of open sources, Eureka could not explain (a search on the Internet did not reveal any traces of Roshka's participation in later conferences, and indeed no other mentions of him). The Insider tried to get this information from the organizers of the conference - and that's when the oddities began.
Special purpose conference
One of the key organizers of the conference, co-chairman of the PAVT Programming Committee Leonid Sokolinsky (Head of the System Programming Department of SUSU) told The Insider that he could not provide information about the conference participants in 2016 and 2017, as there was “a failure in the database, as a result of which the disks were released out of order and the information has not been preserved. " According to him, the failure occurred due to the fact that the storage system was old. He also noted that “any person from the street” can sign up for the conference and where he comes from is not checked in any way.
Well, it looks like The Insider was just out of luck. But just in case, the publication turned to another co-organizer of the conference - Vladimir Voevodin, head of the department of supercomputers and quantum informatics at Moscow State University, and he unexpectedly presented a completely different answer: he has a list of participants, but he cannot give it because of the decision not to disclose personal data ... When asked why in 2014 this list was openly posted on the website, Voevodin replied that "personal data have begun to be taken more seriously."
Regarding the registration procedure for participants, Voevodin replied that those who wish to submit an application, then “the work is examined, a review is written, the strongest are selected. If it is accepted, then a person is speaking. At the same time, according to him, no one checks which organization the participant is from: “A request to the organization is not written that, they say, the institute has presented such and such a work signed by such and such a person. The organizers only look at the scientific component of the work and its correspondence to the conference theme. "
Everything would be fine, but Roshka did not present any report at the conference, and indeed the number of speakers at the conference was noticeably lower than the number of participants. And it didn’t look like people from the street were allowed into the event. In particular, the list of participants included military personnel. For example, Ivan Kirin, Andrei Kuznetsov and Oleg Skvortsov registered from military unit 71330. Judging by information in open sources, this military unit specializes in electronic intelligence, radio interception and decryption. And Alexander Pechkurov and Kirill Fedotov registered from the military unit No. 51952 of the radio interception of the 16th center of the FSB of Russia. In addition, the conference was attended by three employees of the FSUE Research Institute "Kvant", subordinate to the FSB, which back in 2015 was caught in having links with hackers.
How did it happen that intelligence officers openly register under their own names? Vladimir Voevodin told The Insider that "the participants themselves take care of secrecy, all responsibility lies with them."
But the main question could not be answered - who is Rosca and in what status did he appear at subsequent conferences? To find out, The Insider sent out letters to all participants in the 2014 PAWT conference asking them to send the list of participants for 2016 and 2017. And one of the addressees sent both documents.
In 2016, opposite the name of Georgy Roshka, there was “Military unit No. 26165, specialist”.
The 85th main center of the GRU special service, aka military unit No. 26165, specializes in cryptography.
Hackers GRU
After the mysterious death of the head of the GRU, Igor Sergun, the former head of the 85th main center of the GRU special service, Sergei Gizunov, was predicted to take his place, but he became only the deputy of the new head, Igor Korobov. Both Gizunov and Korobov are now under US sanctions in connection with "actions to undermine democracy in the United States" - that is, precisely in connection with hacker attacks. But if Korobov came under sanctions simply as the head of the GRU, then Gizunov could have a very direct relationship to cyberattacks - he is a cryptography specialist who has a number of scientific works on this topic. The 85th main center of the special service, located in Moscow at Komsomolsky Prospekt, 20, was engaged in the same topic. It was to this historical building (the former Khamovnichesky barracks, built under Alexander I), apparently, and went to the service of Georgy Roshka.
Sergei Zaitsev, who, on behalf of Eureka, also traveled with Roshka to PAVT-2014, and then appeared as an employee of the Center for Special Development of the Ministry of Defense of the Russian Federation, in 2016 and 2017 does not appear in the list of participants. But here's what is curious: if in 2016 Rosca was registered from a military unit, then in 2017 he is listed as a "researcher at the Center for Strategic Research". Most likely, this refers to the same Center for Special Developments of the Ministry of Defense (it's hard to imagine that Roshka suddenly got a job with Kudrin). But it cannot be ruled out that this position was just a cover: it was just necessary to add something to the questionnaire. But why Roshka presented himself as an employee of the Eureka company in 2014 - was that also a cover? Or does he still have something to do with her?
"Eureka" and the hacker factory
“We hereby inform you that Georgy Petrovich Roshka in the period from 01.01.2003 to 05.10.2017 in CJSC“ EUREKA ”INN 7827008143 did not work on a permanent basis and no civil law contracts were concluded with him. Also, Georgy Petrovich Roshka was not found in the lists of students of the training center, as well as in the database of e-mail addresses of the domain.eureca.ru ”.
It is not possible to verify the veracity of this answer. But it is the Eureka training center that is of particular interest. Formally, he runs "information technology courses." But sources well familiar with the company The Insider (who asked for anonymity), said that the same "training center" "Eureka", among other things, is training future hackers among intelligence officers.
Class of the training center "Eureka"
The Russian Ministry of Defense does not deny the presence of cyber troops, but where exactly the hacker training factories are located, of course, is not reported. Perhaps, Moskovsky Prospect, 118 is one of these places.
It is curious that, as the project "Municipal Scanner" managed to find out, one of the three co-owners of "Evrika" Alexander Kinal in February this year bought an apartment in an elite house on Kamenny Island in St. Petersburg at the 2nd Berezovaya Alley, 19. I have already written about this legendary house, in which Vladimir Putin's closest circle lives, including his judo friend Arkady Rotenberg, former presidential manager Vladimir Kozhin, some members of the Ozero cooperative (Nikolai Shamalov, Yuri Kovalchuk, Sergei Fursenko and Viktor Myachin) and the ex-head of the Malyshevskaya criminal group Gennady Petrov. It was Petrov's apartment with an area of \u200b\u200b478.7 square meters (estimated cost of about $ 9 million), according to Municipal Scanner, and was bought by the co-owner of Evrika.
The stage of denial
It is curious that Vladimir Putin denies the connection of hackers with Russia is no longer so categorical, they say, they can simply be Russian patriots who act independently of the state:
“The background of interstate relations is also important in this case, because hackers are free people, like artists: they have a good mood, they got up in the morning and are busy painting pictures. So are the hackers. They woke up today, read that something is happening there in interstate relations; if they are patriotic, they begin to contribute, as they believe, correct, in the fight against those who speak badly of Russia. Maybe? Theoretically possible. At the state level, we never do this, that's what is most important, that's what is most important. "
The story about "free artists" did not appear by chance. Dozens of cybersecurity organizations from different countries that have studied the activities of groups known as Fancy Bear and Cozy Bear have collected enough data to indicate that representatives of these two groups operate from large cities in Russia, speak Russian, and work on Russian business hours ( resting on those days that are days off in Russia) and attack those targets that may be of interest to the Russian government - both abroad (Hillary Clinton, Emmanuel Macron, a number of European politicians and journalists, NATO military facilities, targets in Ukraine and Georgia, etc.) etc.) and within the country (oppositionists, journalists, NGO employees). Today it is no longer possible to deny the connection of hackers from these two groups with Russia. But one can try to present them as independent subjects. In about the same way as the “Novorossiya militias” were represented as independent actors.
Previously, this justification was refuted only by circumstantial evidence (for example, the fact that the Fancy Bear and Cozy Bear operations, according to experts, required a constantly working large staff of well-trained employees and serious financial resources - something that “free artists” cannot do). Now the GRU's involvement has been confirmed by direct evidence. Putin's attempts to explain everything by the fact that “someone inserted a USB flash drive with the name of some Russian citizen” is also unlikely to convince anyone: Roshka’s name has never surfaced either in connection with hackers or in connection with the GRU (and, perhaps it would not have surfaced if it had not been for this investigation), so it could not have been used for provocation.
Prepared with the participation of: Anastasia Kirilenko, Sergey Kanev, Iva Tsoi, Anna Begiashvili
The hacked correspondence between Emmanuel Macron and his staff, published on May 5, revealed a number of letters that were modified by a user named Georgy Petrovich Roshka, according to the metadata of the letters, oi5.ru reports citing the Russian website The Insider. Those documents where journalists found traces of Georgy Roshka (and there are at least 6 of them) are financial documents of Macron's headquarters, here is one of them: The real author of the document, judging by the same metadata, was the treasurer of Macron's headquarters - Cedric O (this is not an abbreviation , but full name). But then the document was changed by a certain Georgy Roshka. A man named Georgy Petrovich Roshka works at Evrika CJSC, which produces computers and software, whose main clients are Russian government agencies, including the Ministry of Defense and the special services. At the time of publication, Roshka did not respond to The Insider's request. We will remind, yesterday, May 5, the Internet portal WikiLeaks published a link to the hacked correspondence of the French presidential candidate Emmanuel Macron and his entourage, consisting of several hundred thousand emails, photos and attachments, dated until April 24, 2017. The array size is about 9 GB. Macron's team reported that the documents were obtained several weeks ago as a result of hacking the personal and work mailboxes of some representatives of the Forward! Movement. and noted that in addition to real letters and documents, there are fakes in the array. Earlier, the Japanese company Trend Micro confirmed that the Russian hacker group Pawn Storm, also known as Fancy Bear and APT28, is behind the cyber attack on Macron's resources (which the headquarters recorded back in February). The same group has previously carried out numerous cyber attacks in other Western countries, including the United States, where the hacked Democratic Party mail was also handed over to WikiLeaks for distribution ahead of the presidential election. Note that earlier, a number of independent companies in the field of information security independently confirmed the connection of Fancy Bear / APT28 with the Russian authorities (including Google experts). One of the first was Trend Micro, which discovered a powerful hacker group with a special attack style called the Pawn Storm company. The company was able to establish that the same group was used both in the attack on the Russian opposition, and in the attack on American servers (later this was confirmed by a number of other companies). A Trend Micro expert spoke in more detail about these attacks in an interview with The Insider. Earlier, Russian hackers have already been noticed in the fact that in the laid out arrays, real documents are interspersed with fakes. This was the case, for example, when laying out the arrays of George Soros's Open Society Foundation, where, along with real files, crudely forged documents were posted, designed to create the impression that Alexei Navalny was receiving money from the foundation. © censor.net.ua
On the evening of May 5, 2017, one of the two French presidential candidates, Emmanuel Macron, fell victim to a massive hacker attack a day and a half before the decisive second round of elections. Unidentified persons have published about 9 GB of documents from the mailboxes of the campaign headquarters of the former investment banker and minister of economy.
Thus, the French politician became another victim of "political" hacks, when unknown persons spread the confidential correspondence of politicians for free access: it began with the diplomatic post of American diplomats on Wikileaks, then there was the US Democratic Party, Russian Prime Minister Dmitry Medvedev and other Russian politicians, and now the French presidential candidate.
Apparently, in the modern information society, politicians can no longer have absolutely any secrets from the public.
It should be noted that prior to this leakage of documents, former President Macron's protege was considered the clear leader in the polls, significantly ahead of the right-wing radical candidate Marine Le Pen, who advocates for leaving the European Union, tough measures against migrants, against globalization and for the national revival of France in the style of “Let's do France is great again! " According to the latest polls, Macron's rating was 62%. Over the past 50 years, pre-election polls differed from the real election results, on average, by 3.9%.
Macron's political movement confirmed the hack. “Movement En Marche! This evening, it was the victim of a massive and coordinated hacker attack, ”the official statement said. "Various inside information quickly spread on social media." The movement said the documents show the normal operation of a political party, but social media mixes them with fake documents that sow "doubt and misinformation."
Pre-election accounting
Representatives of the British research firm Digital Forensic Research Lab believe that the initial distribution of documents and the hashtag #MacronLeaks was carried out by ultra-right American nationalists, and then the wave was picked up by a key core of French supporters of Marine Le Pen. Experts say that the first hashtag appeared in tweeted by American activist Jack Posobiec (he himself is talking that took links from the / pol / branch on 4chan and just came up with a hashtag). Analysis of his twitter reveals that Jack originally used the #MacronGate hashtag. According to statistics, it was American users who most actively spread the news at the first stage.
The French Minister of the Interior warned French media journalists to be careful when publishing details from the confidential correspondence of En Marche !, because exactly one day before the official election day, a ban on the publication of any information that could affect the result of the vote begins. The publication of such information may lead to the institution of criminal cases, the minister said. Such a ban will remain in effect until the closing of the last polling stations on Sunday 18:00 GMT.
Official application of En Marche! done yesterday at 11:56 pm local time, four minutes before the ban took effect.
A detailed investigation of the hack has not yet been provided. Vitaly Kremez, director of research for the American information security company Flashpoint, said that his overview of the situation points to the work of the famous hacker group APT28 (Fancy Bear), which specializes in cyber espionage.
Cremez said that APT28 registered a number of domain names in April that are similar to the names of the official servers of En Marche! These include onedrive-en-marche.fr and mail-en-marche.fr. These domains could be used to target phishing emails and install malware on computers from which credentials to hack En Marche mail servers could be removed! Cremez believes that this is a broader approach and a serious amount of effort than hackers showed during their intervention in the American election campaign.
In April, Trend Micro experts said that an attack on En Marche! in March was carried out by the same hacker group that hacked the mail servers of the US Democratic Party, that is, the hacker group APT28 (Fancy Bear).
