French elections hack: Successful counterintelligence using cyber deception

French elections hack: Successful counterintelligence using cyber deception

In case you’re not up to speed: In the recent French elections, just before the election communication blackout was announced, stolen documents and emails (supposedly belonging to French President-elect, Emmanuel Macron) were released. Macron’s PR team immediately released a statement saying that some of these emails were fake. When the press reported on the incident, they emphasized this point.

On the one hand, it seems Macron learned from Hillary Clinton’s experience and took charge of the press immediately. On the other hand, and much more interestingly, the Macron team reportedly seeded the attackers’ attempts with fake data. Apparently, this not only slowed down the attackers, but also may have created a situation in which readers doubted the authenticity of every published piece of data.

Image source:

What the Macron team did (if this in fact happened as described) is take charge. This changes everything in cyber security, where up until now we’ve mostly been on the defensive, assuming attackers will succeed in breaking through our static defenses. This validates once again what Cymmetria has been working on with MazeRunner: deception is about information. How do we control what our opponents know about us, so that the decisions they make work in our favor?

If you’re interested in reading more about this, check out my personal blog on the subject, which explores the possible counterintelligence campaign, how it worked, and its OPSEC implications:

Deception isn’t just about networks and computers; there are many assets which an organization may want to protect, such as data. MazeRunner creates an environment in which attackers can’t know what’s real and what isn’t. It allows its users to control the path attackers take in the organization, and the data they may steal. With MazeRunner, organizations seed decoy machines with files of their choice (for example, planting files in an SMB share), so that an attacker will steal the information the organization wants them to steal.

Furthermore, MazeRunner has an advanced honeydocs feature. Files can be left for the attacker to steal anywhere, on any computer. After these files are stolen and opened by an insider or an attacker, the files will send a beacon home to alert that they have in fact been stolen, and provide forensics on who may have stolen them.

Deception and disinformation have been basic tools for engaging with an opponent throughout history. Their use enables organizations to control the opponent, be dynamic (rather than just construct static defenses for them to bypass), and specifically to assure that they can detect attackers and data breaches much faster.

Deception stops lateral movement by increasing the attackers’ costs exponentially, regardless of zero-day vulnerabilities, and allows you to investigate events and alerts in real time – knowing which alert is real and which is a false positive.


Gadi is the Founder and CEO of Cymmetria. Prior to founding Cymmetria, he was VP of Cybersecurity Strategy for Kaspersky Lab, led PwC’s Cyber Security Center of Excellence (located in Israel), and was CISO of the Israeli government’s Internet operations. Gadi is widely recognized for his work in Internet security operation and global incident response, and is considered the first botnet expert. He is currently Chairman of the Israeli CERT.

Share this:


Scroll to Top