The Macron Hack: Sometimes the Metadata Is (Part of) the Message

After he claimed he hadn’t been hacked, 4Chan released documents from some of Emmanuel Macron’s associates (along with a whole lot of crap) last night, just minutes before by French law the candidates and press have to stop talking about the election. Given that the hacking group believed to be associated with Russia’s military intelligence GRU had been trying to phish Macron’s campaign, it is widely assumed that these files came from GRU. That’s a safe starting assumption but it has not been proven.

Here’s one review of what we know about the documents so far. Here’s advice for France on how to avoid having this become the centerpiece of the next few days.

Thus far, the most remarked aspect of individual documents from the dump (which I haven’t started reading yet) is the metadata. For example, a good number of the Microsoft documents have Russian names or metadata in them. In addition, some people are claiming that metadata associated with forgeries in the dump point to specific equipment.

As a result, a number of people have uncritically said that this makes the dump just like the DNC dump, which is further proof that the same sloppy Russians did it.

Except in doing so, most reveal untested assumptions from that DNC dump.

Back when the DNC documents came out, a number of (these very same) people noted that there was Russian metadata in those documents, as well as the name Felix Drzezhinsky, the founder of the Soviet secret police. This was described, persistently, as an accident.

The metadata in the leaked documents are perhaps most revealing: one dumped document was modified using Russian language settings, by a user named “Феликс Эдмундович,” a code name referring to the founder of the Soviet Secret Police, the Cheka, memorialised in a 15-ton iron statue in front of the old KGB headquarters during Soviet times. The original intruders made other errors: one leaked document included hyperlink error messages in Cyrillic, the result of editing the file on a computer with Russian language settings. After this mistake became public, the intruders removed the Cyrillic information from the metadata in the next dump and carefully used made-up user names from different world regions, thereby confirming they had made a mistake in the first round.

I noted, even at the time, the claim that someone who deliberately adopted the name of Iron Felix just accidentally saved the document with cyrillic characters made zero sense.

Particularly with regards to the Russian metadata, you don’t both adopt a notable Russian spook’s ID while engaging in a false flag but then “accidentally” leave metadata in the files, although the second paragraph here pertains to Guccifer 2 and not the Crowdstrike IDed hackers.

Moreover, Guccifer 2 himself pointed out what Sam Biddle had already reported: the identity metadata was not limited to Iron Felix, but included Che Guevara and (I’ve been informed) Zhu De.

Since then, some folks have looked closer and compellingly argued that the Russian metadata “accidentally” left in the documents was actually made at significant effort by opening a word document, putting some settings onto Russian language, and then copying one after another document into that document.

That said, that doesn’t mean — as some of the same folks suspect — that a Hillary staffer made the documents. This post provides five alternative possibilities.

And one thing that those arguing the Guccifer figure was created to obfuscate Russia’s role didn’t connect that claim that — as I’ve heard and Jim Comey recently confirmed — this second DNC hacker was obnoxiously loud in the DNC servers.

COMEY: The only thing I’d add is they were unusually loud in their intervention. It’s almost as if they didn’t care that we knew what they were doing or that they wanted us to see what they were doing. It was very noisy, their intrusions in different institutions.

Effectively, then, the second DNC hacker (usually attributed to GRU) was leaving graffiti inside the DNC servers and Guccifer 2 effectively left graffiti on the documents he released.

In any case, the same rush to interpret the metadata is happening now on the Macron hack as it did with the DNC hack, with repeated claims the hackers — whom people assume are the same as the ones that targeted DNC — are sloppily leaving metadata again.

If they are the same hackers (which has not yet been proven) then we sure as hell ought not assume that the metadata is there accidentally. Again, that doesn’t mean this isn’t GRU. But it does mean the last time people made such assumptions they ended up arguing ridiculously that someone trying to obscure his ties to Russia was at the same time paying tribute to them.

Sometimes, it turns out, the metadata is the message.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

15 replies
  1. Felix says:

    When you cited Vice and the mention of ‚Феликс Эдмундович‘ in that article: The actual translation is not Felix Dzerzhinksy but Felix Edmundovich, the latter is Dzerzhinksy‘s second name.

  2. Charles says:

    I think one can reasonably draw the conclusion that either (a) the DNC hacker was non-Russian, not very good with computers and wanted to implicate the Russians, or (b) was either Russian or non-Russian, was good with computers, and wanted to muddy the waters. A Russian good with computers might figure that a shabby job on substituting metadata would tend to discount Russian involvement.


    The NSA must have a full trace on the Macron hack (if not the DNC hack). Even if the data file is encrypted, it should have the same hash value and file size and should therefore be trackable over at least much of its trajectory. No?


    I can understand why they might not want to advertise their capabilities, but this is getting to be a BFD to whether we can operate democracies or not.

    • emptywheel says:

      Please read through those links on how the cyrillic got into the DNC documents. Your first suggestion is not even remotely possible. And your second–this was not a shabby job. It was rather obscure.

      • Charles says:

        Nothing is that simple as even the pretty comprehensive article would have it, Marcy. If it were, everyone would be agreed. The loophole is always “This is the only way to go about obtaining [some given document feature] short of direct editing of the source”


        Because of course one can edit the source, and throw any number or kind of red herrings into the pot; presumably professional forgers have this pretty well worked out. What is real and what is red herring has always been the problem in this case, as I have consistently said.


        And so Medium’s observation that “So I think we can say for certain that the author wanted the Russian elements to be found. Like, really desperately by the looks of things” itself is suspect. Maybe the author wanted to make it look like he was eager to have the Russian trail found so that people–especially the better analysts– would suspect it was a false trail. This answer’s’s question “Why would Russia frame itself?”


        Electronic documentary analysis, as anyone who followed “Rathergate” knows all too well, is an endless hall of mirrors, in which nothing is 100%.


        The case I describe, in which the forger was good enough to salt the trail in a strikingly too-obvious manner, is case (b) in my original post (and case (a) for Medium). My case (a), in which case the forger thought the Russian trail would succeed simply because he wasn’t very good at forgery, is cases (c) and (d) for Medium.


        So your dismissal of my suggestion, which actually matches some examples in the links you ask me to read, is premature.



        But this is by the by. My question to you was whether you think the NSA must have a trace of the Macron hack. It’s the transmission of stolen data which can’t be forged, although of course it can use relays that can obscure or even hide the endpoint. But a full trace of the exfiltration track would have the IP of the computer that finally received the hacked information. And, assuming that the computers being hacked were being monitored, tracing the exfiltration route would only require having a hash value for searching every re-transmission.


        • SpaceLifeForm says:

          “It’s the transmission of stolen data which can’t be forged, although of course it can use relays that can obscure or even hide the endpoint. But a full trace of the exfiltration track would have the IP of the computer that finally received the hacked information.”

          Sorry, but that is absolutely not a provable conclusion. No way. Sorry, but you are just not thinking outside the box enough.

          • Charles says:

            I’ve been clear and explicit.


            If you have something to say that would explain whether or not the NSA is likely to haven been able to trace how the data got from Macron to Pastebin, say it.

        • Adam Carter says:

          If it was Russia and they wanted people to think it wasn’t them, why go to all this trouble when just handling the docs carefully would be just as effective to avoid attribution?

          Trying to avoid attribution by sloppily constructing attribution to themselves is an implausible theory and would be an impractical and risky effort with zero advantage versus just handling the documents with care.

          Furthermore, if they just wanted to do a sloppy forgery to make people recognize it as a false attribution attempt the metadata alone would have sufficed, it looked dodgy thanks to 1.doc, 2.doc and 3.doc all having the same timestamps.

          Generating the RSID (Revision Save ID that allows changes to be tracked by revision session) would be a lot of unnecessary effort that would likely not be discovered (and it wasn’t until February 17th of this year), it’s both implausible and impractical for it to  be evidence-planted-on-planted-evidence.

          Add to this the context that Guccifer 2.0’s actions (choosing a Russian VPN, using a mail provider that would forward the IP he was using and sending out these tainted documents to the press, using a Russian smiley in his very first blog post, etc.)… was a LOT of effort spent trying to appear Russian on the surface… and all for what… just to leak some low-impact documents that could be achieved by anonymously releasing the originals to leak sites.

          I agree NSA should have capacity to figure this out, there’s enough activity there that they’ll have the atrophy they need to single out the probable source, however, because of where those files were possibly fabricated, I think the NSA face a considerable dilemma and may feel it best to avoid disclosure.

          • Charles says:

            If it was Russia and they wanted people to think it wasn’t them, why go to all this trouble when just handling the docs carefully would be just as effective to avoid attribution?


            Assuming this was done by the Russian government, I can see several possibilities. First is that the Russians knew they couldn’t escape detection completely, that traces of the APTs would be detected, and that then it would be assumed it was them, especially when the information came out. Therefore, everything else is there to muddy the waters, making the source of the hack unclear.

            The second is that the Russians’ goal was not to elect Trump per se, but to discredit whoever got elected. If it looked like Clinton was going to win, discredit her, if it looked like Trump was going to win, discredit him–and they had plenty of material besides hacks to do it with. Muddying the waters would add to our confusion. We would fight with one another over whether the Russians even had anything to do with the hack, rather than focus on what matters: there was interference in our elections.

            Third, when we say “Russians,” we have to allow the possibility that the hackers had access to Russian hacker tools, but were not directly part of the government. They could have been criminals employed by the Russian government, but also for hire by anyone–including Trump. The government could deny complicity, and the hackers could throw in all sorts of clues suggesting it was the government to throw people off the track that it was criminals.


            Saying that it’s “implausible” that documentary changes are deliberate because it would have been difficult or because the forgery wouldn’t easily be discovered makes (pardon me) no sense until we know who the hackers were, what tools they had at hand, and what their goals were.

            And, for that matter, the hackers and the people who released the documents may have been different groups (a possibility that as far as I know, no one has bothered to take the time to consider). Guccifer 2.0 is a source for release, not necessarily a hacker.


            What if the hack was done by the Russian government, but the documents were released to Trump associates, Hillary haters, or simple idiots to distribute?  Then the hack could be professional and the documents could have been altered in sloppy and/or deceptive ways.

            If  the documentary changes were not deliberate forgeries, then they were accidental. So, the people releasing the documents were careless or sloppy. If the hackers were the people releasing the documents, that makes the hackers sloppy, which seems unlikely (though, again, one can’t exclude it; hacking and documentary processing are different skill sets).


            Do you see how many possibilities have to be considered, that it’s hard to actually exclude a number of possibilities, and why, therefore, my basic point is that we can tell very little about the hack and release of the documents?  One has to work out a tree of many, many possibilities, an exercise that I have yet to be see done.


            What we do know is who benefited from all this and who had the motive to do it. The Russian government has long been angry with the US for meddling in its elections, over screwing the Russian economy, over Ukraine, over sanctions, and so on. They also hated Hillary and may have had control over Trump.  As crazy as they would be to deliberately generate powerful anti-Russian sentiment among the American people–knowing what it felt like to be on the receiving end of rat-f–king–they may have done it. Certainly Lavrov’s performance over Comey’s firing seemed almost calculated to infuriate the American people.


            Trump also had a motive. He could not win the election honestly. He is a crook, with long-time criminal connections. He could have arranged the hacking and the distribution of documents.

            We need a real investigation. We need NSA intercepts, communications intercepts, and all sorts of materials that the intelligence community probably does not want to give us (or take the time to find).  We need journalists shaking the trees, and CIA agents sniffing around. Armchair detectives–and I include myself in this–are not going to crack the case. At best we can figure out good questions for others to ask.

Comments are closed.