Cyber Incident Victim: En Marche!
Date:
Apr 2017
Location:
France
Summary
Russian intelligence agents created fake Facebook personas to conduct surveillance on Emmanuel Macron's presidential campaign, attempting to gather personal information from officials and associates by posing as friends of friends. Facebook identified and deactivated these accounts, attributing the activity to tools associated with Russia's GRU military intelligence unit (APT28/Fancy Bear), which had previously targeted U.S. political entities. While the spies failed to compromise targets into downloading malware or sharing credentials, Macron campaign emails were later hacked and leaked online during the election's final stages. Facebook also suspended tens of thousands of additional accounts promoting election-related propaganda and misinformation in France.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 3 actors | Available to members | Available to members |
Description
In early 2017, during the French presidential election, Russian intelligence agents conducted a surveillance operation targeting Emmanuel Macron’s campaign. The operatives created approximately two dozen fake Facebook accounts posing as friends of friends of Macron associates, attempting to glean personal information from campaign officials and individuals close to the candidate. Facebook detected these accounts during the first round of the election and traced their activity to tools historically used by Russia’s GRU military intelligence unit, known in cybersecurity circles as Fancy Bear or APT 28. The company deactivated the accounts, attributing the discovery to enhanced automated detection systems and increased human monitoring efforts. While Facebook confirmed the spying attempt to Reuters, it assessed that the operatives did not succeed in persuading targets to download malicious software or disclose login credentials, which investigators believed was the likely objective. Concurrently, Facebook disclosed that account suspensions in France for propaganda or spam—much election-related—had risen to 70,000 by mid-2017, a significant increase from the 30,000 reported in April. The company briefed U.S. congressional committees on these findings but did not publicly name Russia until after the election.
The GRU unit implicated in the Facebook operation had previously been linked to high-profile cyberattacks, including the 2016 breach of the Democratic National Committee in the United States. In the final days of Macron’s runoff against Marine Le Pen, email accounts belonging to his campaign officials were hacked, and their contents were leaked online. French law enforcement and intelligence agencies did not formally attribute the email breaches, though some security experts privately suggested GRU involvement without providing evidence. Mounir Mahjoubi, Macron’s digital campaign director, acknowledged these suspicions in May 2017 but emphasized no conclusive proof existed. The Kremlin denied all allegations of election interference, with spokesman Dmitry Peskov dismissing them as “a lie.” Facebook’s response to the incident occurred amid growing international pressure to curb misinformation on its platform, prompting the company to release an April 2017 report detailing “information operations,” including influence campaigns using fake accounts to amplify false or biased news. The Macron campaign attacks highlighted the dual use of social media for both disinformation dissemination and targeted espionage, though French authorities did not publicly confirm the operational impact beyond the acknowledged account suspensions and email leaks.