Macron campaign confirms phishing attempts, says no data stolen

Emmanuel Macron, head of the political movement En Marche !, or Onwards !, and candidate for the 2017 presidential election, visits a farm as part of his presidential campaign in Montlouis-sur-Loire near Tours, France, February 10, 2017. REUTERS/Stephane Mahe

By Michel Rose and Eric Auchard PARIS/FRANKFURT (Reuters) - French presidential candidate Emmanuel Macron's campaign team confirmed on Wednesday that his party had been the target of a series of attempts to steal email credentials since January but that they had failed to compromise any campaign data. Macron's party, known as "En Marche!" or "Onwards", said it had been hit by at least five advanced "phishing" attacks that involved trying to trick a broad number of campaign staff members to click on professionally-looking fake web pages. The latest attacks were confirmed by security firm Trend Micro, whose researchers found links to a cyber espionage group it has dubbed Pawn Storm, the Macron team noted. Other experts link the group, also known as "Fancy Bear" or "APT 28", to Russian military intelligence agency GRU. Russia has denied involvement in attacks on Macron's campaign. Macron, an independent centrist who has been critical of Russian foreign policy, faces far-right leader Marine Le Pen in France's presidential runoff on May 7. Le Pen has taken loans from Russian banks and has called for closer ties with Moscow. "Emmanuel Macron is the only candidate in the French presidential campaign to be targeted (in phishing attacks)," his party said in a statement, adding this was "no coincidence". In mid-February, an En Marche! official told a news conference the party was enduring "hundreds if not thousands" of attacks on its networks, databases and sites from locations inside Russia and asked the French government for assistance. The Macron campaign said on Wednesday it had carried out counter-offensive actions against the fake web sites, which were designed to trick campaign workers into divulging their user credentials. As a further precaution, it also said En Marche! does not use email to share confidential information. ATTEMPTED BREAK-INS? Netherlands-based researcher Feike Hacquebord of Trend Micro said this week he had found evidence that Pawn Storm, which has been active since 2004, had targeted the Macron campaign with email phishing tricks and attempts to install malware on the campaign site in mid-March. ( Hacquebord said some of the same digital fingerprints linked the Macron phishing attacks with those last year on the Democratic National Committee (DNC) and U.S. presidential candidate Hillary Clinton's campaign. He also found evidence that Pawn Storm was using similar techniques in the past two months to target two foundations tied to Germany’s ruling coalition parties ( and to attack German Chancellor Angela Merkel's party, the Christian Democratic Union, in April and May of last year. Security firm CrowdStrike has said the group may be associated with the Russian military intelligence agency GRU. Other U.S.-based firms SecureWorks, FireEye and ThreatConnect have also said the group has ties to the Russian government. A report this month by Denmark's Center for Cyber Security detailed a string of phishing attacks against the Danish armed forces and the ministries of defence and foreign affairs during 2015 and 2016 which it blamed on APT 28, or Pawn Storm. The report, in Danish, can be found here. ( "It is linked to the intelligence services or central elements in the Russian government, and it is a constant battle to keep them away," Foreign Minister Claus Hjort Frederiksen of NATO member Denmark told newspaper Belingske on Sunday. Hacquebord's Tokyo-based Trend Micro has consistently said conclusive proof of Russian involvement is hard given the difficulty of attributing cyber attacks. His Pawn Storm can be read here ( Asked about Trend's findings that Macron was under cyber attack, Kremlin spokesman Dmitry Peskov said on Monday: "What (hacking) groups? From where? Why Russia? This slightly reminds me of accusations from Washington, which have been left hanging in mid-air until now and do not do their authors any credit." (editing by John Irish and Gareth Jones)