A false flag operation – pretending to be someone else while conducting spycraft or warfare – is an age-old tactic. With the advent of cyber espionage and digital warfare, those maneuvering in the virtual domain can use false flags.
In the Digital Age, determining the origins of cyber attacks is already difficult, but cyber actors can further muddy attribution by diverting blame for attacks to others. Ultimately, are such devious methods effective in leading investigators astray, even to the point of mistaken retaliation? The answer is, it’s complicated.
By definition, false flag operations that succeed in framing others will not appear to observers as a false flag at all, and blame will likely fall on those who are framed. On the other hand, investigators may see through attempts at a false flag, but they may not know whether the perpetrator’s intention was to deceive everyone or a select few. In some cases, the attacker may have wanted simply to cloud the issue so that the victim can’t make a strong case for a forceful response.
The term false flag originated in naval warfare. It referred to ships that hoisted the flags of other nations to shift blame or confuse an enemy. Sometimes ship crews even adorned uniforms with emblems from a third nation. Tim Maurer, the co-director of the Cyber Policy Initiative at the Carnegie Endowment for International Peace, cites the example of the British navy ship Baralong, which flew the American flag before the U.S. entered World War I, and fired on a German U-boat.
False flag operations in cyberspace – like those in the physical world – are difficult to identify with confidence. Unless investigators have intelligence to confirm that a false flag operation occurred, most examples are based on conjecture.
One incident generally accepted as a false flag operation took place in April 2015, when hackers targeted TV5Monde, corrupting and destroying internet-connected hardware that controlled the French news channel’s operations, knocking its broadcast offline. A supposedly ISIS-affiliated group calling itself the Cyber Caliphate lodged a claim of responsibility, but forensic investigators and French intelligence quickly focused their suspicions on another group called APT28, purportedly connected to Russian military intelligence.
The TV5Monde false flag play was relatively simple. All it took was a fake online persona and a misleading statement of culpability. Other modes of false flag operations can be more technically deceptive.
In a white paper published last October, researchers from Kaspersky Lab, a Moscow-based cybersecurity firm, explored a 2015 espionage campaign targeting the Peruvian military and other government agencies. The attackers, nicknamed TigerMilk, used a stolen digital certificate that had showed up in the Stuxnet worm, a piece of weaponized code that famously sabotaged Iranian nuclear installations. The Equation Group, thought to be a hacking unit of the National Security Agency, originally employed the purloined certificate to gain surreptitious access to the Microsoft Windows systems. However, Microsoft had since revoked the certificate, suggesting that the actors who deployed it were not sophisticated and therefore couldn’t possibly be the NSA – one of the most capable cyber operators in the world. By using the certificate, despite no apparent tactical value, the hackers were seemingly attempting to direct investigators to conclude, erroneously, that the U.S. was culpable.
Maurer says false flag attackers can mislead forensic investigators by creating a scenario that suggests that “malicious activity originates from whomever the attacker is trying to frame.” Another red herring, he says, is “to use malware that’s been tied to another malicious actor as part of the offensive cyber operation.”
To lay a false trail, he says, “sophisticated actors could use hackers skilled in other languages and keyboards or operate only during certain times that correspond with whatever time zone the actor who’s to be blamed operates in.” Hackers bent on framing somebody else could hijack the known attack infrastructure of that entity to leave a trail of false clues for forensic investigators.
Misdirection through language imitation is a tactic recently attempted by the Lazarus group, which is thought to be an arm of the North Korean regime, has been held responsible for the December 2014 attack on Sony Pictures and is suspected of various attacks around the world targeting the global SWIFT banking system. Pyongyang’s hackers did a bad job of writing fake Russian comments into their malware. Native Russian speakers quickly noticed these anomalies, causing experts to believe the imbroglio was a sloppy attempt by the North Koreans to finger the notorious Russian-speaking hacking community – both criminal and government.
“Iranian hackers often use Arabic when planning and conducting attacks on U.S. banks,” says Hank Thomas, a partner and chief operating officer at Strategic Cyber Ventures. In a case involving a denial-of-service attack on some American banks, he says, his firm used multiple sources of intelligence, including linguists, to analyze bank attack code. They found a little Persian Farsi mixed in with the Arabic. This and other evidence led to the conclusion that the attack emanated from Tehran.
The recently released WikiLeaks archives of alleged CIA hacking tools have led some cybersecurity specialists to believe that a unit called Umbrage is facilitating CIA false flag operations by acquiring and repurposing techniques – either those found online, stolen from other governments, or purchased from private security firms and illicit groups acting as brokers. Whether the CIA conducts such false flag operations remains unconfirmed. Some commentators – including WikiLeaks – have alleged that that the intention of repurposing tools is to imitate other actors, rather than that the CIA is simply improving its own arsenal. This charge rests on shaky ground at best. After all, once attacks are deployed, others can copy their techniques. A thriving market for hacking techniques has appeared in recent years. It would be surprising if government spy agencies were not taking advantage of it.
To add to the confusion, multiple actors sometimes use the same tools. For example, the 2012 attack against Saudi Aramco and the 2014 attack against Sony Pictures had in common a disk-wiping tool called RawDisk. Yet the Saudi Aramco attack has largely been attributed to Iran, while the Sony attack was blamed on North Korea – even resulting in U.S. imposed sanctions.
If a false flag operation is to be successful, it cannot rely on a single bogus lead. Some experts question whether any false flag operation can completely deceive everyone. Some false flag gambits may be meant as warning shots. “A state might try to send a signal to another state,” says Maurer, “knowing the victim state will be capable of attributing the true source, while all or most other states will not notice.”
Who can see past the false flags to fix blame for cyber attacks? The Kaspersky Lab paper argues that major signals intelligence agencies, particularly the NSA and the UK’s GCHQ, are capable of attributing attacks with certainty and confidence. The problem is, the secret agencies cannot make their cases in public. “As intelligence agencies,” the paper says, “they are blessed with the ability to see but not to publically substantiate, the gift to attribute without being believed.”
Thomas points out that false flag operations complicate efforts to retaliate against cyber adversaries, “especially in a democracy like the United States where the credibility and level of evidence must be high to retaliate or convict someone.”
“Sometimes a warm gun is not good enough,” says Thomas. “It must be smoking.”
Levi Maxey is a cyber and technology producer at The Cipher Brief. Follow him on Twitter @lemax13.
