One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 362604 |
| Date de publication | 2017-05-06 19:08:00 (vue: 2017-05-06 19:08:00) |
| Titre | MacronLeaks – A Timeline of Events |
| Texte |
It's been a very familiar feeling reading about the documents leaked to impact the elections in France tomorrow.
Often the best defence is to have a proper understanding of what has happened. A quick draft timeline of events from an analysis of document meta-data and forum posts is below.
Attacks in March and April
A number of domains, identified by Trend Micro as linked to a group of attackers known as APT28, were registered for use in attacks against Emmanuel Macron's campaign.
It appears they were registered in two stages - first in the middle of March, then more in the middle of April. The links between these attacks and others in the US elections is strong. I haven’t seen a definitive link that the documents leaked yesterday were the result of these attacks in March and April, but it seems a likely scenario.
Suspicious edits of the leaked documents in March
Many noted that all of the documents in one of the smaller archives released yesterday (xls_cedric) appeared to have been edited over a 4 minute period on the 27th of March.
These were edited by a Russian language version of Microsoft Excel. About half recorded a user named "Рошка Георгий Петрович / Roshka Georgy Petrovich" performing the edits.
It's suspicious that these documents, some which were created over ten years ago, were all edited so recently during the same 4 minutes. It suggests the edits may be following their theft, not before.
Before linking any individual to these attacks though it's important to note:
A number of people have that name;
This could be false information planted by the attackers; or
An entirely innocent employee at a bank somewhere has been unfortunate enough to get caught up in this.
Similar previous mail dumps have included a mix of real and fake information, and the Macron campaign have also said that the dump is a mix of real and fake documents. It's important to keep that in mind – particularly when you see e-mails in the dump suggesting that politicians have bought drugs online.
Documents shared on 4Chan on Wednesday
A first small set of two documents were shared on 4Chan's politics board /pol just prior to the election debates on Wednesday:
These suggested that Macron had secret bank accounts. The post was made by a user from a Latvian IP. The geolocation is likely incorrect and the “Latvian” poster themselves said they were connecting through proxies from another location.
The documents were picked up by fringe news sites quickly, and Le Pen made similar claims during the live debate against Macron that night.
It wasn’t long before some suggested the documents looked like they had been photo-shopped. The “Latvian” poster claimed the problems were due to the how the copies were obtained - by taking photos of the documents "in a short w |
| Envoyé | Oui |
| Condensat | related /pol 08:22 11:17:39 14:06:04 17:37 17:59 2016 27th 4chan 4chan's 5:37 about access accounts activity address after afternoon: against ago alienvault all already also alt analysis another any appeared appears april apt28 archive archives are armpit around attackers attackers; attackersmalware attacks attempts available back bank banned been before being below best between board boards both bought browser but cache called came campaign caribbean caught cedric chances claimed claims clinton cloud com connecting content copies corruption could couple covert created currently data day debate debates decode defence definitive despite directly disobedient document documents domains down draft drugs due dump dumps during early edited edits effects election elections elsewhere emmanuel employee empty english enough entirely even events eventually evidence excel expected expensive exploited extremist fact fake false familiar feeling file files first following for: forum france frankmarcher1@gmx french friday fringe from further game geolocation georgy german get going gonna google group had half happen happened happily has have haven’t heart her hiding higher hilary how identified impact important impression included incorrect individual information innocent interests internet it's just keep key known labsoauth language later later: latvia latvian leak leaked left legitimate like likely link linked linking links live location logs long looked machines macron macron's macronleaks made mail mails make many march match may meta micro microsoft middle mind minute minutes mix months more morning morning: much name; named need never news next night night: not note note: noted nouveaumartel november number obtained office often ominously one online only orchestrating organize other others out output over parallels particularly parties party passed pastebin pen people people: performing perhaps period petrovich photo photos physical picked pieces plans planted political politicians politics possible post posted poster posts presumably previous printers prior problems promptly proper providing proxies quality questions quick quickly reading real recently recorded reduce referred registered related released remain remove repeated responded response result right roshka russia russian russian” russian: said same saw says scanned scans scenario scene secret see seems seen serious services set several share shared she shopped short showed similar site sites slow small smaller some somewhere soon speak spread spreading stages storiesapache strong struts suggested suggesting suggestions suggests sunday suspicious swiftnet take taking targeting techniques ten that: theft them themselves then these things those though through time timeline times timestamp tomorrow too trend trying tweet tweeted: twenty two types understanding unfortunate unlike unlikely upcoming upload uploaded uploader uploads use used user users utc version versions very vulnerability wasn’t watch we're weaken web wednesday wednesday's wednesday: what when whether which wikileaks will window windows wins wins: won working worm would xls years yesterday zone |
| Tags | |
| Stories | APT 28 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.