Just a brief diary about some information that’s been circulating among Russian blogs about the Macron hack.
Recall that yesterday, French cybersecurity chief Guillame Poupard admitted that there was no direct evidence the hack came from Russia — or from anyone in particular:
“The attack was so generic and simple that it could have been practically anyone.”
Without ruling out the possibility that a state might have been involved, he said the attack’s simplicity “means that we can imagine that it was a person who did this alone. They could be in any country.”
What Poupard is saying more broadly makes sense: we are now in a perpetual state of information warfare whose participants range from solitary hackers to nation states, and this particular hack was so basic that it lacks any strong fingerprints. (After all, some of the “leaked” documents were all but claimed by U.S. alt-right groups.)
That may yet be true of the larger hack itself — as Thomas Fox-Brewster at Forbes noted, we know that Russia hackers certainly tried, but that doesn’t necessarily mean they were the ones who succeeded in getting the documents. One thing Poupard didn’t address was the document manipulation that appeared to have occurred on at least a handful of documents and pointed to a specific Russian user, Georgii Petrovich Roshka.
Last month Chris Doman at Alien Vault argued that this document manipulation likely came after the hack itself, and that any further investigation of this thread should come with a couple of caveats:
Before linking any individual [i.e. Roshka] to these attacks though it's important to note:
- A number of people have that name;
- This could be false information planted by the attackers; or
- An entirely innocent employee at a bank somewhere has been unfortunate enough to get caught up in this.
And given that we know no small number of the documents were fake and/or manipulated, the second option is not at all far-fetched. Still, a few days later, Russian analytics blog The Insider pointed to a Georgii Roshka who worked for a Russian computer equipment and software company Evrika (“Eureka”), whose contracts were almost exclusively government-related:
For example, the Eureka company is known to have received a license from the FSB to perform activities for the protection of state secrets, and also to have fulfilled contracts for JSC NPO Quantum, who work for the Ministry of Defense.
Apart from a note that this Roshka also attended a conference on computing technology on behalf of Eureka in 2014, The Insider’s profile unfortunately ran into dead ends all around: the companies and people involved refused to participate — Eureka later denied that Roshka ever worked for them or went to any conferences on their behalf, despite conference documents listing him as a Eureka employee — and no further public information appeared to be available.
Today The Insider is back with a long post, the first of a promised series, identifying this same Roshka as a self-described military specialist in cryptography when he attended the same conference in 2016. Moreover, the Moscow-based GRU unit that Roshka indicates he works for was then under Sergei Gizunov, a Russian official since sanctioned due to “undermining” U.S. elections.
We know this is the same Georgii Roshka as the Eureka guy, because (in addition to the wild coincidence it’d otherwise entail), he provided the same email contact information. And the folks at The Insider were very lucky to get the information, most of which had “disappeared,” according to the conference organizer, due to technical problems on his end (natch).
All that being said, keep your usual grains of salt at hand: this is still circumstantial, and it remains to be seen if The Insider has more substantial information to provide in its promised follow-up pieces. There are, admittedly, a lot of lines being drawn in their article to a lot of different people, with various levels of confidence. Still, if the name Roshka was planted as false information, it seems like an awfully obscure person to pin fake metadata on (it took a month for anyone to find him!), and the coincidences required if this isn’t the right Georgii Roshka would be pretty mind-blowing.
The take-home point is this: for the first time, we have positive identification that the name appearing in the Macron document metadata is shared by a Russian intelligence employee who happens to specialize in computing.
So… something to watch.
h/t Max Seddon on twitter