On November 22nd the French global construction and concessions giant Vinci SA was targeted by a sophisticated social engineering attack. As a result Vinci’s stock price collapsed by almost 19% temporarily bringing the market capitalisation of the company down from €36.5bn to €29.5bn.
The attack makes an interesting case study due to combination of several factors: success in creating a significant negative impact on Vinci’s share price, low cost of implementation and relatively sophisticated tactical planning.
Situation unfolded as follows:
- 16:05: distribution by an unknown party (the Attacker) of first false press release (Release 1) to editorial offices of multiple global press agencies
- 16:06-16:07: Bloomberg and Dow Jones agencies pick up elements of the Release 1
- From 16:10 onwards: the Vinci’s spokesperson denies the false information to the press agencies. This official denial is immediately repeated by the agencies
- 16:15: trading in the shares is suspended after a fall of more than 18% in the share price
- 16:19: trading in the shares resumes and the price goes back up to a level close to but lower than that recorded before the distribution of the first false press release
- 16:27: distribution by the Attacker of a second false press release (Release 2) containing a partial denial
- 16:49: Vinci publishes a written denial on its website
- 17:02: distribution of the written denial to the AMF (a French equivalent of SEC), financial markets and press
- 17:15: the Vinci’s Legal Director calls the AMF
- 17:35: distribution by the Attacker of a third and final false press release (Release 3) containing a “pseudo-claim” of responsibility
2. Instruments and methods used by the Attacker
The attack was based on principles of social engineering. The Attacker used several ways to imitate Vinci:
- False press releases were sent from two e-mail addresses related to domains which appeared highly credible: (1) both were based included the name of the company: www.vinci.group, www.vinci- group.com, (2) both were very similar to the actual domains used by the company (e.g. as compared to www.vinci.com or www.vincigroup.com owned by Vinci)
- Fake Vinci’s website was installed on both domains
- Details of the contact person included in the press releases referred to an actual Vinci’s employee but the phone number was operated by an impersonator
- The language of first and second (especially the former) press releases was very professional, strongly resembling one used in actual corporate announcements
- The false press releases were sent to specific e-mail address at media organisations dedicated to receive official updates from corporations
3. Kill chain
The attack can be broadly divide into four phases.
Phase I – first false press release
The Attacker distributes the first fake press release (Release 1) to multiple global news agencies. The message appeared credible due to several factors:
- It was sent from a plausible looking e-mail address containing Vinci’s name (firstname.lastname@example.org)
- It contained a link to a domain containing Vinci’s name (www.vinci.group) on which an a fake copy of company’s website exists
- It included the name of an actual Vinci’s press officer and a phone number for further inquiries
- The language of the release wass professionally crafted resembling the tone and form of official corporate press releases
- It’s was received by the media through an e-mail address dedicated for companies to send official updates
The Release 1 contained two key false pieces of information:
- Vinci has uncovered significant accounting irregularities to the tune of €3.5bn and would have to restate its consolidated results for FY 2015 and H1 2016 resulting in turning Group’s profit into loss for both periods
- The CFO of Vinci has been dismissed as a result of newly uncovered irregularities
The objective of Release 1 was most likely to cause a negative impact on Vinci shares; both in terms of price and trading continuity.
Phase II – impersonation of Vinci’s press officer
Following reception of the Release 1 some media outlets followed up with calls to the contact person indicated in the announcement. As the phone line was actually operated by the Attacker the calls were answered by an impersonator who confirmed authenticity of the information included in the Release 1. In addition journalists accessed the fake company website via the link provided in the press release which contained the same information as Release 1.
As a result the information contained in the Fake Release 1 was relayed into the public domain by some of the major media outlets, including Bloomberg (media agencies removed the information several minutes after its publication).
The Vinci’s stock price responded to the publication of the information with an instantaneous drop of 10% after which the trading was automatically halted by the Euronext Paris stock exchange. After several minutes the stock exchange decided to resume trading. Once the trading was re-started the shares fell another 10% reaching the level of €49.93 after which the trading was halted, at 16:15, for the second time. The trading recommenced at 16:19 but was yet again halted for a third time until resuming in earnest at 16:23.
Phase III – second false press release
The Attacker distributed a second fake press release (Release 2) at 16:27 four minutes after the trading in the share price was fully restored.
The Release 2 included following information:
- Statement that Vinci fell victim of a defamatory disinformation attempt
- The Release 1 was sent by impersonators
- The impersonators have fled Vinci’s offices after sending the information
- The company denies that the CFO has been dismissed
The Attacker used following measures in attempt to make Release 2 look credible:
- It was sent from a different address than the one used for Release 1
- The domain on which the e-mail address was based looked plausible: it included Vinci’s name and it was almost identical to an actual address used by the company and included Vinci’s name (www.vinci-group.com vs. an actual address www.vincigroup.com)
- It openly stated that Release 1 was a fake sent by an unknown malicious actors
- It denied (some) statements included in the Release 1
- It was sent to dedicated e-mail addresses (in the same way as the Release 1)
The information content of the Release 2 was designed to inflict further damages to the company:
- The information suggested that unauthorised personnel had access to Vinci’s premises which opened the field for speculation about other potential negative consequences (e.g. a data breach)
- The dementi was partial and focused on denying dismissal of the CFO it did not address head on the question of potential accounting irregularities, thus creating an aura of financial uncertainty
During Phase 3 the attacker sought to: regain initiative, deal another blow to company’s image and cause another share price collapse. Despite this ingenious tactics the Attacker failed to succeed. At this stage media outlets were much more critical of the incoming information. Despite the renewed attempt at share price destabilisation the stock managed to recoup most of the losses stabilising in the €58 – €60 range, couple percentage points below the pre-attack level.
Phase IV – third false press release
At 17:37 the Attacker distributed the third and final false press release (Release 3). It was sent from the already “burnt” address based on www.vinci-group.com domain. Unlike the previous two releases it represented a direct communication by the Attacker with no attempt at impersonation.
The Release 3 mainly focused on criticising Vinci’s corporate conduct, in particular involvement in:
- Notre-Dame-des-Landes airport project (opposed by environmentalist groups and some of the local farmers)
- Construction projects in Qatar (the release mentions exploitation of Indian and Nepalese workers)
- Construction projects in Russia (the release mentions persecution of journalists who seek to expose corruption)
Unlike the previous two the Release 3 was written in a much less professional manner. Interestingly it also included several language mistakes. One can only speculate about the purpose of the Release 3. If taken at a face value, as “true confession of the Attacker”, it doesn’t fit well with the previously demonstrated ingenious and sophisticated modus operandi of the Attacker. It’s fairly crude, simplistic and written with mistakes. Arguably it’s just a decoy meant to detract investigators by providing multiple clues as to potential identity and motivation of the perpetrator.
What could be the strategic objective of the attack?
The spectrum of strategic objectives pursued by the Attacker is relatively clear:
- Financial – the Attacker sought to make profit on trading Vinci’s stock based on the foreknowledge of events (i.e. share collapse due to the Release 1 followed by a likely rapid recovery once company manages to clarify the situation)
- Ideological – the Attacker wanted to punish Vinci for its corporate conduct by destabilising company’s share price, dealing a blow to its reputation and gaining publicity to highlight the alleged corporate violations
- Strategic – the Attacker, driven by political and/or competitive motives, executed the operation to undermine Vinci’s market position (possibly as a part of broader campaign)
Did the Attacker actually target Euronext Paris?
In addition to Vinci-related objectives mentioned above, an interesting, out-of-the-box hypothesis was suggested by the French daily Le Parisien. Given that the disruptive impact on Vinci’s share price was very short-lived and the damage to its reputation limited if any, one could speculate that possibly the company was not the actual (or at least not the only) target of the attack.
Another entity negatively affected by the events was the Euronext Paris stock exchange on which Vinci’s shares are listed. The attack resulted in significant disruption of trading in an important stock. Given that growing risk of flash crashes it’s becoming increasingly important that stock market operators become adept at preventing them or at least mitigating their impact. Lack of such ability may result in erosion of market’s global competitive position (or at least inability to capitalise on flash crashes affecting its rivals).
(The article was originally published on LinkedIn on November 27, 2016)