{ "id": "aebea4c0-1332-44d7-af6a-3269a1a3ae29", "created_at": "2026-04-06T00:17:09.21378Z", "updated_at": "2026-04-10T03:37:50.306638Z", "deleted_at": null, "sha1_hash": "13d60ffb2cb3d9af879331fa5cb67c87abb9321d", "title": "Russian Hackers ‘Fancy Bear’ Targeted French Presidential Candidate Macron", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 64481, "plain_text": "Russian Hackers ‘Fancy Bear’ Targeted French Presidential\r\nCandidate Macron\r\nBy Lorenzo Franceschi-Bicchierai\r\nPublished: 2017-04-24 · Archived: 2026-04-05 23:37:10 UTC\r\nAfter embarrassing the US Democratic Party with a brazen hack last year, followed by even more brazen leaks\r\nover the summer, a group of Russian government hackers has taken aim at the next big Western election: the one\r\nin France. Over the last two months, the group known as Fancy Bear or APT28 has targeted the campaign of\r\nEmmanuel Macron, the 39-year-old frontrunner to become France’s new president.\r\nFor weeks, Macron has been crying wolf, accusing Russia of trying to hack into his campaign’s computer systems.\r\nBut there was no public evidence of any attack—until now.\r\nRead more: All Signs Point to Russia Being Behind the DNC Hack\r\nCybersecurity firm Trend Micro has found evidence that Fancy Bear created at least four different domains with\r\naddresses very similar to the official name of his party, En Marche, and of his official website, en-marche.fr. The\r\nhackers presumably created them to launch phishing campaigns similar to those who tricked John Podesta and\r\nColin Powell into giving away their password, opening up their inbox to the hackers, and, later, to the world.\r\nFancy Bear has a long and successful history of using phishing to go after high-value targets, and their modus\r\noperandi is to use email domains that can trick the would-be victim into thinking the phishing email is legitimate.\r\nIn the case of Macron, one of the fake domains the hackers used was onedrive-en-marche[.]fr. The Macron\r\ncampaign, according to online records, uses Microsoft Outlook for their emails, so it’d make sense to make a\r\ndomain with the name of another Microsoft cloud product.\r\nA portion of a table showing several phishing domains used by Fancy Bear in the last few months.\r\n(Image: Trend Micro)\r\nTrend Micro spotted the phishing attempts by monitoring the creation of new domains with similar names to the\r\noriginal, legitimate Macron campaign address.\r\n“That is very suspicious,” Feike Hacquebord, a researcher at Trend Micro who’s been tracking Fancy Bear since\r\n2014, told Motherboard in a phone call. “That immediately sets a red flag.”\r\nThe Macron campaign, as well as the French government, did not respond to an email asking for comment.\r\n“They don’t really care, because they get what they want.”\r\nhttps://www.vice.com/en_us/article/ez35p7/russian-hackers-fancy-bear-targeted-french-presidential-candidate-macron\r\nPage 1 of 2\n\nHacquebord noted that there’s no way for him to know whether the campaign was successful—all he had visibility\r\ninto was the creation of the domain. But Frederick Douzet, a professor of Geopolitics at Université Paris 8, said\r\nthat she has heard both Facebook and France’s Network and Information Security Agency (ANSSI)\r\nacknowledge that there have been successful attacks similar to the ones that took place during the US elections.\r\n“There’s a clear sign of activity,” Douzet told Motherboard in a call.\r\nMacron’s political ideology has made him a target for Russia. The former economist, who just recently got into\r\npolitics, is pro-European Union and pro-Euro. While Marine Le Pen, the other candidate who came in second on\r\nSunday and will square off with him in the second round in two weeks, is more pro-Russian and has threatened to\r\npull France out of the EU if she wins.\r\nRegardless of the success of Fancy Bear’s new phishing campaign, one thing is clear. Despite being publicly\r\ncalled out by the US government, the hackers are not slowing down.\r\n“They don’t really care,” Hacquebord said, “because they get what they want.”\r\nA previous version of this story said that ANSSI and Facebook had told Douzet there had been attacks by Fancy\r\nBear. But Douzet only meant ANSSI and Facebook had seen attacks similar to those Fancy bear did during the US\r\nelections.  \r\nSubscribe to Science Solved It, Motherboard’s new show about the greatest mysteries that were solved by\r\nscience.\r\nSource: https://www.vice.com/en_us/article/ez35p7/russian-hackers-fancy-bear-targeted-french-presidential-candidate-macron\r\nhttps://www.vice.com/en_us/article/ez35p7/russian-hackers-fancy-bear-targeted-french-presidential-candidate-macron\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.vice.com/en_us/article/ez35p7/russian-hackers-fancy-bear-targeted-french-presidential-candidate-macron" ], "report_names": [ "russian-hackers-fancy-bear-targeted-french-presidential-candidate-macron" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434629, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/13d60ffb2cb3d9af879331fa5cb67c87abb9321d.pdf", "text": "https://archive.orkl.eu/13d60ffb2cb3d9af879331fa5cb67c87abb9321d.txt", "img": "https://archive.orkl.eu/13d60ffb2cb3d9af879331fa5cb67c87abb9321d.jpg" } }