- The term false flag originated in naval warfare. It referred to ships that hoisted the flags of other nations to shift blame or confuse an enemy. Sometimes ship crews even adorned uniforms with emblems from a third nation. False flag operations in cyberspace – like those in the physical world – are difficult to identify with confidence without broader intelligence streams.
- In April 2015, hackers targeted TV5Monde, corrupting and destroying internet-connected hardware that controlled the French news channel’s operations and knocking its broadcast offline. A supposedly ISIS-affiliated group calling itself the Cyber Caliphate lodged a claim of responsibility, but forensic investigators and French intelligence quickly focused their suspicions on another group – APT 28 or Fancy Bear, a group with links to Russian military intelligence, the GRU.
- The TV5Monde false flag play was relatively simple. All it took was a fake online persona purporting to represent ISIS and a misleading statement of culpability. The tactic is not uncommon among threat actors, often laying blame on known criminals or hacktivists – as the Russians did with Guccifer 2.0 when breaching the Democratic National Committee to interfere in the 2016 U.S.
Tim Maurer, Co-Director, Cyber Policy Initiative, Carnegie Endowment for International Peace
“In the context of cyber operations, a false flag attack means that the attacker pretends to be another actor who actually exists, rather than simply creating a fake online identity to obfuscate the attacker’s real identity. The distinction matters because, apart from hiding the attacker’s true identity, the victim might decide to use countermeasures or retaliate, in which case such reactions would target not the attacker himself, but whoever the attacker pretends to be.”
Issue: While the false flag method of claiming responsibility for a hack by using a fake online persona is effective in creating a thin veil of plausible deniability for states sponsoring malicious cyber activity, there are other, subtler or more technically convincing methods of leading investigators astray. If a number of false flags are planted in coordination, it can present a convincing portrait toward misplaced blame and possibly even retaliation.
James Lewis, Senior Vice President and Program Director, CSIS
“In cyberspace, false flag operations leave a forensic trail pointing in the wrong direction. It can be as simple as copying code already attributed to someone else or inserting a few words from another language. There are surprisingly few instance of false flag operations and those that are known can often be traced to Russia. Russia created a ‘Cyber Caliphate’ announcing jihad in cyberspace, attacking France’s Canal 5 broadcaster. Groups like DC Leaks and Guccifer 2 are Russian, and Shadowbrokers is likely Russian as well. A successful false flag operation requires more skill than people assume. The Russians have long practice in this area so it’s no surprise they tried again at the Olympics.”
- One simple and fairly common method of misleading investigators is by littering the malware with comments in a language other than the native tongue of the hackers. Iranian hackers used the Hamas-affiliated Izz ad-Din al-Qassam Brigade moniker during the distributed denial of service attacks that hit U.S. financial institutions beginning in September 2012, trying to disguise the attack by including Arabic, rather than Farsi comments in the code. Misdirection through language imitation is also a tactic attempted by the Lazarus Group, which is thought to be an arm of the North Korea’s intelligence apparatus and was blamed for the December 2014 attack on Sony Pictures. The Lazarus Group is also suspected of various attacks around the world targeting the global SWIFT banking system.
- But foreign language comments, particularly when mistakes are made, can also be revealing, which is why linguistic analysis is often a portion of an investigation. Pyongyang’s hackers made mistakes when writing fake Russian comments into their malware. Native Russian speakers quickly noticed these anomalies, causing experts to believe the imbroglio was a sloppy attempt by the North Koreans to finger the notorious Russian-speaking hacking community – both criminal and government. But even with sound linguistic analysis, cutouts, such as criminal proxies, or moonlighting officials could complicate attribution based solely on the language of comments within the code. Linguistic analysis of the WannaCry ransom notes – an attack formally attributed to North Korea – indicated the authors were fluent in Chinese and likely from Southern China.
- Tracking where cyberattacks emanate from can also be deceiving. North Korean hackers are known to physically operate outside of its borders, launching attacks from infrastructure in third-party countries, such as China, India and elsewhere. Hackers also often breach servers in third-party countries and launch their attacks from there, all without a physical presence in that country. Tracking IP addresses to countries of origin is often only useful when seeking to determine what command and control infrastructure is used, and whether it is common among certain threat groups.
- The WikiLeaks archives of alleged CIA hacking tools have led some to believe that a CIA unit called Umbrage is facilitating the agency’s false-flag operations by acquiring and repurposing commercially available hacking tools. WikiLeaks suggests the intention of repurposing tools is to imitate other actors. It’s more likely that the CIA is taking advantage of the thriving market in hacking tools to save time, rather than creating custom tools capable of the same task. The CIA wouldn’t be the only intelligence agency to buy off the shelf. Multiple actors sometimes use the same tools. The 2012 attack against Saudi Aramco and the 2014 attack against Sony Pictures had in common a disk-wiping tool called RawDisk. Yet the Saudi Aramco attack has largely been attributed to Iran, while the Sony attack was blamed on North Korea. The same is true for the EternalBlue exploit – reportedly stolen from the NSA – but used in both the WannaCry and NotPetya campaigns, which have been attributed to North Korea and Russia respectively.
Robert Dannenberg, former Chief of the Central Eurasia Division, CIA
“I think false flag cyber operations are generally about muddying the water at least in the mind of the public. They generally don’t fool intelligence services for very long. The bottom line for Putin’s use of cyber is that there is, at the moment, no deterrence in cyberspace. Russia has a very effective array of cyber assets and they are going to continue to use that tool until we show we are willing to respond. That response can be symmetrical – responding with cyber against cyber (hack back or from state assets) or asymmetrical – additional sanctions. The problem is we are far more vulnerable to cyber risk than Russia. And Russia is happy to use its access to vast numbers of cyber mal-actors not accessible to us, to do its dirty work.”
Response: Intelligence services with expansive access to signals and human sources, however, often see through attempts at false flag cyber operations. While perfect attribution is difficult, the level of certainty needed in attribution largely depends on what is at stake politically. Attribution of foreign cyber campaigns is ultimately an intelligence assessment, and therefore does not require evidence that holds up beyond reasonable doubt in court – but may require enough evidence to sway the court of public opinion.
- In 2010, the NSA reportedly breached the Chinese networks that connected North Korea to the outside internet, providing the NSA early warning of incoming cyber operations. This was likely why the Obama administration was so swift in its public attribution of the Sony Pictures hack to Pyongyang followed on by a series of sanctions.
- Similarly, Dutch intelligence reportedly hacked the network of a Russian university in Moscow that was hosting a number of Russian intelligence operatives from the SVR, the Kremlin’s foreign intelligence branch, as they engaged in hacking operations attributed to the group known as Cozy Bear, who would later breach the networks of the DNC. The Dutch even monitored the CCTV cameras in the hall outside of the room and were able to identify individuals who came and went. But not all attribution is so clear cut.
Looking Ahead: False flag operations can only be fought by intelligence agencies able to detect errors in the operations – whether through digital forensic investigation or human and signals intelligence collection – coupled with policymakers willing to reveal enough evidence to the public without compromising sources and methods. In democracies where political will is informed by public opinion, such false flag operations could serve to divide leaders over who to respond to, and the correct proportionality of such a response.
Read more from The Cipher Brief...and talk with the experts in person about deep fakes and the future of information at The Cipher Brief's 2019 Threat Conference...
