PARIS — Everyone saw the hackers coming.
The National Security Agency in Washington picked up the signs. So did Emmanuel Macron's bare-bones technology team. And mindful of what happened in the U.S. presidential campaign, the team created dozens of false email accounts, complete with phony documents, to confuse the attackers.
The Russians, for their part, were rushed and a bit sloppy, leaving a trail of evidence that was not enough to prove they were working for the government of President Vladimir Putin but which strongly suggested they were part of his broader "information warfare" campaign.
The story told by U.S. officials, cyberexperts and Macron's own campaign aides of how a hacking attack intended to disrupt the most consequential election in France in decades ended up a dud was a useful reminder that as effective as cyberattacks can be in disabling Iranian nuclear plants, or Ukrainian power grids, they can also be defeated.
But that outcome was hardly assured Friday night, when what was described as a "massive" hacking attack suddenly put Macron's electoral chances in jeopardy. To French and U.S. officials, however, it was hardly a surprise.
Testifying in front of the Senate Armed Services Committee in Washington on Tuesday, Adm. Michael S. Rogers, the director of the National Security Agency, said U.S. intelligence agencies had seen the attack unfolding, telling their French counterparts, "Look, we're watching the Russians. We're seeing them penetrate some of your infrastructure. Here's what we've seen. What can we do to try to assist?"
But the staff at Macron's makeshift headquarters in the 15th Arrondissement at the edge of Paris didn't need the NSA to tell them they were being targeted: In December, after the former investment banker and finance minister had emerged as easily the most anti-Russian, pro-NATO and pro-European Union candidate in the presidential race, they began receiving phishing emails.
The phishing mails were "high quality," said Macron's digital director, Mounir Mahjoubi: They included the actual names of members of the campaign staff and at first glance appeared to come from them. Typical was the very last one the campaign received, several days before the election Sunday, which purported to have come from Mahjoubi himself.
"It was almost like a joke, like giving us all the finger," Mahjoubi said in interview Tuesday. The final email enjoined recipients to download several files "to protect yourself."
Even before then, the Macron campaign had begun looking for ways to make life a little harder for the Russians, showing a level of skill and ingenuity that was missing in Hillary Clinton's presidential campaign and at the Democratic National Committee, which had minimal security protections and for months ignored FBI warnings that its computer system had been penetrated.
"We went on a counteroffensive," said Mahjoubi. "We couldn't guarantee 100 percent protection" from the attacks, "so we asked: What can we do?"
Mahjoubi opted for a classic "cyberblurring" strategy, well known to banks and corporations, creating false email accounts and filling them with phony documents the way a bank teller keeps fake bills in the cash drawer in case of a robbery.
"We created false accounts, with false content, as traps. We did this massively, to create the obligation for them to verify, to determine whether it was a real account," Mahjoubi said. "I don't think we prevented them. We just slowed them down," he said.
"Even if it made them lose one minute, we're happy," he said.
Mahjoubi refused to reveal the nature of the false documents that were created or to say whether, in the Friday document dump that was the result of the hacking campaign, there were false documents created by the Macron campaign.
But he did note that in the mishmash that constituted the Friday dump, there were some authentic documents, some phony documents of the hackers' own manufacture, some stolen documents from various companies, and some false emails created by the campaign.
"During all their attacks we put in phony documents. And that forced them to waste time," he said. "By the quantity of the documents we put in," he added, "and documents that might interest them."
With only 18 people in the digital team, many of them occupied in producing campaign materials like videos, Mahjoubi hardly had the resources to track down the hackers. "We didn't have time to try to catch them" he said. But he has his suspicions about their identity.
Simultaneously with the phishing attacks, the Macron campaign was being attacked by the Russian media with a profusion of fake news.
Oddly, the Russians did a poor job of covering their tracks. That made it easier for private security firms, on alert after the efforts to manipulate the U.S. election, to search for evidence.
In mid-March, researchers with Trend Micro, the cybersecurity giant based in Tokyo, watched the same Russian intelligence unit behind some of the Democratic National Committee hacks start building the tools to hack Macron's campaign. They set up web domains mimicking those of Macron's En Marche! Party and began dispatching emails with malicious links and fake login pages designed to bait campaign staffers into divulging their usernames and passwords, or to click on a link that would give the Russians a toehold onto the campaign's network.
It was the classic Russian playbook, security researchers say, but this time the world was prepared. "The only good news is that this activity is now commonplace, and the general population is so used to the idea of a Russian hand behind this, that it backfired on them," said John Hultquist, the director of cyberespionage analysis at FireEye, the Silicon Valley security firm.
Hultquist noted that the attack was characterized by haste and a trail of digital mistakes. "There was a time when Russian hackers were characterized by their lack of sloppiness," Hultquist said. "When they made mistakes, they burned their entire operation and started anew. But since the invasion of Ukraine and Crimea, we've seen them carry out brazen, large scale attacks," perhaps because "there have been few consequences for their actions."
Adam Nossiter reported from Paris, David E. Sanger from Washington, and Nicole Perlroth from San Francisco. Danny Hakim contributed reporting from New York.