NSA’s Spying on Le Pen Is Probably Working Better than GRU’s Spying on Macron

In advance of this report on APT 28 (the hacking group presumed to be tied to Russia’s military intelligence, GRU, blamed for the DNC hack-and-leak), Trend Micro got a lot of publicity for its report that APT 28 had targeted Emmanuel Macron, who just won the most votes in France’s presidential election and will face a run-off against Marine Le Pen in a few weeks.

At least according to Macron’s campaign, the attempts to phish his campaign were unsuccessful.

Mounir Mahjoubi, digital director of Mr. Macron’s campaign, confirmed the attempted hacking, saying that several staffers had received emails leading to the fake websites. The phishing emails were quickly identified and blocked, and it was unlikely others went undetected, Mr. Mahjoubi said.

“We can’t be 100% sure,” he said, “but as soon as we saw the intrusion attempts, we took measures to block access.”

The timing of all this is all rather interesting. Back in early February, France’s Le Canard Enchaîné exclusively reported that France’s security officials worried that Macron would be hacked, a vague report that was picked up really broadly without confirmation. Shortly thereafter, Macron claimed that his campaign had been the target of thousands of attacks from entities within Russia’s border, including a DDOS attack that took down his website for nine minutes. According to the sole mention of Macron in the Trend Micro report, the OneDrive-based phish targeting Macron took place a month later, on March 15.

These hacking attempts accompanied a great deal of fake news (and leaked gossip) targeting Macron. But at least if Macron’s own campaign is to believed, APT 28 never succeeded in its attempt to hack the favorite to be France’s next president, and so presumably has not yet succeeded in stealing emails that Russia might use to attack Macron during the run-off.

Which gives the hype about APT 28’s attempted hack a really curious character. It is treated as if Russia is the only state actor that might be spying on French presidential candidates.

Does anyone honestly believe that the United States is not spying on Le Pen, for example, given that the CIA and NSA have a history of spying on candidates with whom the US is even friendlier than Le Pen? Indeed, earlier this year, WikiLeaks published a tasking order for CIA to collect HUMINT and open source intelligence on all the parties in the 2012 French election, though without any cyber element specified. In 2010, the incumbent Pakistan People’s Party was included in NSA’s foreign government Section 702 certificate by name. And in 2012, CIA and NSA partnered to target Enrique Peña Nieto and nine of his closest associates in the weeks leading up to his victory. With both the PPP and EPN, these were nominally political parties friendly to US interests.

By comparison, it would seem that targeting Le Pen, at a time when the intelligence community has a very public concern about collusion between Russia and populist parties in Europe to destabilize Europe, would be a no-brainer.

And here’s what else gets left out of the coverage of GRU’s attempts to spy on Macron: how much easier a job the NSA might have than GRU, even ignoring NSA’s greater capabilities.

Many (though not all) of the phishing attempts detailed in the Trend Micro report pretend to be the email log-ins for US-based email providers: with virtually all the most detailed attention on Yahoo, Gmail, and Microsoft. The attempted Macron targeting exploited his campaign’s use of OneDrive. That means all the entities GRU targeted with phishes pretending to be US providers are available to NSA via Section 702, or PRISM.

In other words, to collect on the very same targets that GRU is targeting via phishing attacks that users continue to be better informed about (and that Macron claims to have withstood entirely), the NSA could just add LePen’s email address to the list over 93,000 targets being targeted under Section 702 (as they presumably did with PPP in 2010). And unlike a phishing campaign, which can be made more difficult with the use of two factor authentication, Le Pen would have no defense against collection targeting her or her campaign’s PRISM provider accounts, beyond encrypting everything that resided in an American-owned cloud (and even there, there would be a great deal of interesting metadata available). If she or key aides uses any of the major American tech providers, stealing their emails would be as easy as providing a foreign intelligence justification (one that would be bolstered by her close ties with Russia) and tracking to make sure her accounts are detasked when she comes to the US to visit Trump Tower.

All that’s on top of any more sophisticated targeting of Le Pen akin to what CIA and NSA did against EPN.

And therein lies the rub, the reason you shouldn’t be saying, “So what? We should spy on that fascist Le Pen, she’s a menace to civilization” (though I agree she is).

The NSA’s spying on Marine Le Pen is likely having more success than GRU’s spying on Emmanuel Macron. But is there any reason to believe — particularly given CIA’s targeting of all French parties in 2012 and given Trump’s stated preference for Le Pen — to think that NSA is not also targeting Macron, targeting his OneDrive in a way that would be immune from whatever defenses he is using against phishing attacks?

Here’s where folks will say, “but we don’t leak stolen communications,” in spite of some evidence that we have in the past, albeit perhaps not in a democratic election. (On that note, this Politico story exposing Mike Flynn’s ties, via his Turkish lobbying client, to Russia, relies on a WikiLeaks-released email, which is a notable instance where evidence made available by WikiLeaks may help those investigating Russia’s influence on the Trump administration.). Of course, GRU can only leak what it can steal, and Macron believes that GRU hasn’t succeeded in stealing anything.

Furthermore, we have no visibility what US policymakers in the past have done with intelligence collected on political parties. We certainly have no current limits on what Trump can do with it, aside from limits on the dissemination of that actual raw emails. We’ve always given the President great discretion on such issues, in the name of ensuring a unified foreign policy. And there are plenty of ways Trump’s administration could intervene to help Le Pen beyond just leaking any derogatory information on Macron.

All this is not to say that GRU’s reported continued attempts to hack democratic targets is not a concern (indeed, I’m at least as worried that FSB is conducting similar intelligence collection without the same easily identifiable tracks).

But it is to say that, particularly in the era where Donald Trump sets this country’s foreign policy, we need to be a lot more mindful of NSA’s own far more considerable ability to steal information on democratic candidates.

9 replies
  1. earlofhuntingdon says:

    Since the Second World War, American intelligence services have repeatedly spied on and interfered with French (and Italian, British and German) elections. That interference has rarely been to the benefit of progressive or left-leaning parties or politicians. It seems unlikely, given our increasing ability to do so digitally, that we would interfere less now than we have done before.

  2. Rapier says:

    So per usual the choice is a fascist, using the term liberally, or a neoliberal, but there is nothing liberal about neoliberalism.  It’s logical to choose the neoliberal because they promise to keep the bubble inflated. Eventually they won’t be able to keep the bubble inflated and then it will be the fascists.

  3. Evangelista says:


    Is this a “False-Flack-Attack”?  NSA hack-flacks fake a hack as ‘APT28’, the ‘hack’ entity assigned in USAllegation/assertion (no proof required) to be DNC hackers (no proof required) and, Russia-hacking being the narrative (no proof required), to be subset to a “GRU Russian hacking group” (no proof required) by making a few script-kiddie competence level intrusion-pokes from US company/entity “sources” to give an appearance of “Russian GRU hacking French Election like they did the DNC/US Election”?

    How many voters anywhere can follow the convolutions of this ‘devious’ thinking?  How many pundits can keep their minds off themselves and their pwn pronouncements long enough to reach the third stage?

    So what you (NSA) get is re-reinforcement for the old DNC narrative, support for the old APT28-is-GRU narrative, the old Russian-Hackers and Russian-State-Hackers narratives, a kick-in-the-pants send-off for a new ‘Russians hacking French elections, too!’ narrative…  AND, with “American Entities” “involved” (just on record, no proof of the script-kiddie-class-hacks achieving anything except maybe some puffs of media-smoke) a “legal” basis for the US NSA to hack both candidates under the PRISM of Section 702…!!!

    A “no-brainer”, indeed!  It is all possible because ain’t nobody nowhere using any brain.  Just letting the script-kiddie competence level intellectuality that is the hallmark of the USA in the 21st century run its course, follow its channel, continue to run down-hill…  Everybody too busy looking for loop-holes and dodges to slip and slide and end-run around, the do because they have figured out a way to do, oblivious to the fundamental question, “What the hell would they, or anyone, want to for?”


  4. b says:

    A few phishing emails ain’t an “attack”. If they were I would claim to be “under attack” each and every day. Pure nonsense.

    Likewise a DDoS attack “from Russia”. A few weeks ago two Israeli teenagers were caught that ran a huge DDoS service.  One could buy a DDoS “tests” of a specified website for some $100. None of the attacks of course “originated” from Israel  (see Brian Krebs reporting on this). They came from all over the world. A Distributed Denial of Service attack “from Russia” would not be a “distributed” one at all. This is obviously bollocks and fakenews.

    To say that a phishing attempt has something to do with ATP XYZ is also nonsense. Phishing is a daily nuance,  not an “advanced persistent threat”.  To claim ATP XYZ is related to one actor of one country when that ATP is well known by all relevant services and easy to fake is also high bullshit.

    Marcy – all your “Russian hacking” pieces have been at a level WAY below your usual quality. I don’t get why you fall for such stupid stuff.


    • emptywheel says:


      Sometimes your criticism is right on–and well appreciated.

      But you’re the one making the errors here! The implication of the DDOS attack is that it happened before the phish (and so was unrelated). I did not say it was Russian; I repeated Macon’s claim that it came from within Russia’s borders. I suggested the credulous repetition of the Canard claim was not well sourced.

      I don’t know why you fall for not reading Russian articles as closely as you normally do. It’s well below your normal quality.

      You see, this can go both ways. You apparently have not noticed that one can try to sort through the claims on the Russian hack, but instead see any mention of one as a red alert, as if Russia, like everyone else, doesn’t spy.

      • Evangelista says:

        “[A]s if Russia, like everyone else, doesn’t spy.”…


        Do you mean “…doesn’t f-k around “hacking” elections.”?

        International spying, by all means, is an international given.  F-king around in elections is not spying.  It is f-king around.  It is, in usual usage, national, not international.

        International f-king around in elections, in Other Nations’ elections, is a World Commercial Empire United States specialty.  To date almost no nations, except the WC Empire [and Israel, the Castle-on-the-Hill dominating the Empire] have engaged in cyber f-king around in others’ internal politics.  The Empire is presently having hysterical fits screaming “Everybody Else Is Doing It [what everyone knows The Empire has been rampantly doing to virtually everyone]!”

        The WC Empire is the Pot.  It is calling every nation on the planet a ‘Kettle’ [as it imagines itself] and trying to scream “They’re Black [But We Aren’t]”.

        b is correct:  Your “Russian Hacking” writing is all ‘kool-aid’ stained.  You appear to have bought the ‘Russian-Hacking narrative’ with religious conviction, to have cast aside all skepticism and swallowed the ‘party-line’.

        You need to start talking to people with real and knowledge and cyber-competence and recover your skepticism.


        • emptywheel says:

          What you and b seem to like to ignore is that my views–which admittedly may be wrong–come from having spoken to actual firsthand sources. b keeps making claims that suggest he believes I’m working off the public record. But, as I’ve repeatedly repeatedly repeatedly noted here, that’s not the case.

          So is it koolaid to speak to people who would actually know and repeat it? According to  you guys, yes.

  5. Evangelista says:


    “[A]ctual firsthand sources”, in the case of ‘Russian Hackers’, would be Russian Hackers.

    If you have some of these for sources, you should reveal them. If you have secondary sources, you should identify them, and their ‘Russian Hacker’ identificatory processes, so that others may replicate to determine authenticity.

    As these things stand now, if you do have confessed Russian Hackers, or provable ‘Russian Hacker’ identifying secondary sources you have a scoop on everyone, because No One has yet provided legitimated, provable authentication for the ‘Russian Hackers’ of the ‘Russian Hackers’ narrative.

    If some sort of stand-in-for-Jesus has written in the sky, or with moving finger on the wall, or shown Golden Tablets to you, and so you verily believe, then your certainty is True Belief. True Belief is subject to discount by skeptics. Show us the Writing, in sky or on wall, or show us the Tablets, or Habeus Corpus your sources. Us skeptics (and there are a lot of us, especially amongst the really expert) need proofs.

    Until you show authenticatable proofs, you may claim Blood, Wine, or Eucharist, but we skeptics will see Kool-Aid.

    • emptywheel says:


      What you’ve just written is hysterical, and you don’t even seem to understand it. Your starting position, per you, is that a second Russian entity hacking the DNC (on top of APT 29, which no one seems to doubt is Russia and which targeted 1000s of other people at same time but which DNC was just too stupid to do anything about) is the equivalent of a miracle.

      Then you lay out, falsely, what would be necessary to provide some basis to believe that that miracle happened, literally saying that the only thing that would be proof is for you personally to touch the holes in Jesus’s hands.

      I mean, if that’s where you’re at cognitively, that’s where you’re at. I assume you also believe the world is flat?

Comments are closed.