Well, this is a story. Who hacked the French presidency? The original source of the story is Le Telegramme de Brest, a bit of a surprise but not the first time a really crazy news story got out in the regional press first. It suggests the attack took place at some point during the transition from President Sarkozy to President Hollande, between the 6th and the 15th of May, and the presidential transition was used as a cover story for the clean-up operation.
This piece in L’Express is mostly boilerplate “cyberwar”, but it does give some details of the exploit and points the finger…at the United States. Now, I’ve no idea how they can be so sure, but there is some actual information in there.
Apparently, the exploit consisted of three steps. The first was a version of the now-classic spearphishing attack. Several officials were sent a message on Facebook, presumably crafted for them, inviting them to follow a link, which led to a fake version of their intranet’s login page. This harvested their login credentials. The second step used the logins to deploy the Flame worm to the Elysee’s network. Flame would compromise some of the computers, which could then be searched for interesting information.
The reasoning is, apparently, that Flame was based on Stuxnet and everyone knows Stuxnet was the Israelis and therefore that’s the same as the Americans. I paraphrase a bit. I would argue that, based on what we actually know, it’s a best-of-breed solution, with one element (the spear-phishing) that is stereotypically associated with the Chinese (like so), and another (the code from Stuxnet) that originates with someone who doesn’t like the Iranians, and further work (the development from Stuxnet to Flame) from a third party.
This is completely normal for malware development, as it is for real viruses (how long before we start talking about “genetic” viruses to force the distinction?), and this is why “attribution” is difficult. Oh yes, and don’t distribute links to documents inside the firewall on Facebook!
Meanwhile, it seems someone nicked the entire Greek ID card database, near enough, and then there was the whole crazy-weird GPS timing/NTP bug incident, where the stratum 1 time sources run by the US Naval Observatory (yeah, where Dick Cheney used to live) stopped working, as did time.microsoft.com and NIST’s time source, and NTP servers reacted weirdly differently from the way they’re meant to, and for a while the NIST GPS archive didn’t show any data.