Cyber Incident Victim: Emmanuel Macron
Date:
Mar 2017
Location:
France
Summary
Russian state-backed hackers linked to military intelligence (GRU) targeted Emmanuel Macron's presidential campaign through coordinated cyber operations, deploying phishing emails to steal credentials from team members. The attack, known as "MacronLeaks," involved two sophisticated Russian hacking units, including APT28, and culminated in the leak of internal campaign communications shortly before the election's final round. Technical evidence from cybersecurity firms and researchers confirmed the operation's state-sponsored nature, characterizing it as an attempt to destabilize the electoral process through information manipulation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The 2017 MacronLeaks incident targeted Emmanuel Macron’s presidential campaign through a coordinated cyberespionage operation attributed to Russian state-backed actors. In early March 2017, weeks before France’s first-round election, hackers from APT28—a group linked to Unit 26165 of Russia’s military intelligence service (GRU)—initiated phishing campaigns against Macron’s team. These emails aimed to steal credentials from campaign staff, providing initial access to internal communications. By April 2017, a second GRU-associated unit joined the operation, deploying advanced malware to maintain persistent access to compromised email accounts. The attackers exfiltrated sensitive data over several weeks, culminating in a timed leak strategy. On May 5, 2017, just before the second-round vote, stolen emails and documents were dumped online in an attempt to undermine Macron’s campaign. The leak included authentic communications but contained no damaging revelations, leading Macron’s team to denounce it as deliberate interference. The campaign obtained a French judicial order to suppress republication of the stolen materials, limiting their spread.
Technical analyses by Google researchers and cybersecurity firm FireEye later confirmed the operation’s sophistication and state-sponsored origins. FireEye’s 2018 client report, partially disclosed in journalist Andy Greenberg’s book, detailed how both GRU units collaborated—APT28 focused on initial intrusion while the second group handled data extraction and leak coordination. Evidence included distinctive malware signatures, infrastructure overlaps with prior GRU operations, and phishing tactics mirroring attacks on other political targets. The Macron campaign’s internal systems were the primary affected assets, with no evidence of broader French electoral infrastructure compromise. While the leaks failed to alter the election outcome, they amplified concerns about foreign interference in democratic processes. French authorities did not publicly attribute the attack during the campaign but later endorsed private-sector findings linking it to Russian actors. No formal sanctions or countermeasures were disclosed in the immediate aftermath.