What is a false flag? How state-based hackers cover their tracks

False flags are a favourite technique of cyber attackers connected to Russian intelligence, but they don't have a monopoly on the practice

Credit: Dreamstime

A false flag cyber attack is when a hacker or hacking group stages an attack in a way that attempts to fool their victims and the world about who's responsible or what their aims are.

The techniques used in this type of attack run a gamut that ranges from simply issuing false claims of responsibility to emulating the tools, techniques, and even languages typically used by the group or country the attackers are trying to frame.

The term false flag originated during World War I, when British and German auxiliary ships would fly the ensigns of other countries—sometimes the British would fly German flags, or vice versa—in order to deceive their enemies.

The term came to be applied to more elaborate acts of deception meant to cast political blame on opponents and allow aggressors to claim to be victims; the Japanese started its war with China in the '30s after staging a fake Chinese attack on Japanese forces, for instance, a technique that the Germans repeated when they launched their invasion of Poland and the Soviets used before beginning a war against Finland.

From there, the term entered the discourse of conspiracy theorists, who often believe terrorist attacks or mass shootings to be staged or perpetrated by the government in order to stoke fear or gain dictatorial powers.

But false flag cyber attacks are no conspiracy theory; they're a well-documented phenomenon that's become increasingly prevalent over the past five years or so.

In a false flag attack, state-based cyber attackers may pretend to be ordinary criminals, politically motivated hacktivists, or hackers backed by an entirely different country. And while several countries have engaged in this sort of attack, by the far the most prolific practitioner is Russia, via its GRU intelligence service and hackers associated with it.

The purpose of implementing a false flag attack may seem obvious: not taking the blame for sinister deeds. But casting blame on others goes beyond the usual stealthy attempt by attackers to conceal their identity.

For instance, the Stuxnet attack on Iran's nuclear program is widely believed to have been perpetrated by the United States and Israel, and while those countries haven't taken credit for it, they haven't attempted to connect anyone else to it, either.

In a false flag, pointing the finger at someone else can become a weaponised goal in and of itself, beyond the concrete results of the cyber attack.

And by generally encouraging a climate of chaos and confusion within the cyber security community, false flags make it hard for anyone to get a firm handle on objective reality.

As James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies told Wired, Russian hackers want to create a world where nobody—especially not the U.S.—can say with absolute certainty who is responsible for a cyber attack.

"They would like to create a counter-narrative: 'You can’t trust the Americans. Look, they got this wrong,'" he explains.

6 false flag attacks

These prominent attacks from the past few years show how false flag techniques work and how they have evolved.

2014: Guardians of Peace and the Sony Pictures hack

Sony Pictures was hacked in late 2014, with mountains of embarrassing internal emails, financial information, and even unreleased films being dumped onto file-sharing sites online.

Responsibility for the attack was initially claimed by a group calling itself the Guardians of Peace; while the group didn't reveal much about itself, the name was clearly meant to suggest some sort of ideologically driven and possibly even idealistic group.

This was not a theory that anyone took particularly seriously, and the lists of possible suspects included run-of-the-mill cyber criminals and disgruntled insiders.

In short order, though, fingers began pointing in another direction: North Korea, whose leader Kim Jong-Un was mocked and ultimately assassinated in the Sony comedy The Interview; the Seth Rogan film became a focus of Guardians of Peace communiques.

Only a few weeks after the attack, the FBI declared the North Korean government responsible, and security firm CrowdStrike presented evidence from code associated with the attack, including typos that matched other North Korean hacks.

North Korea has never taken responsibility for the hack, and while their guilt is almost universally acknowledged, the layer of deniability they've created presumably allows a certain amount of diplomatic face-saving.

2014-5: CyberBerkut

The Euromaidan revolution in Ukraine, which deposed a pro-Russian government and replaced it with a pro-Western one, set off a conflict with Russia that left wide swaths of the country in Russian hands and started a grinding proxy war in Ukraine's east.

Ukraine's own population was polarised into pro-western and pro-Russian factions, so it wasn't a surprise to see hacktivist groups emerge on the pro-Russian end of the spectrum.

CyberBerkut was one of the most prominent; it launched DDoS attacks on NATO websites and hacked into Ukrainian government computers to leak sensitive information about covert US involvement in the conflict.

The leaks mixed real embarrassing info with doctored documents that made the EU, the US, and the Ukrainian government look even worse to create an anti-western propaganda mélange. The initial take on CyberBerkut from F-Secure was that "they’re Ukrainians ... It’s a voluntary cyber offensive unit that’s not closely affiliated with any government."

That assessment did not hold up. CyberBerkut achieved many of its breaches via phishing attacks that snagged victims' passwords, and an analysis by Citizens Lab found that the shortened URLs used in these emails were adjacent to those used in attacks that had nothing to do with the Ukrainian conflict, but were perpetrated by Russian intelligence.

In all probability, CyberBerkut is an "astroturfing" group, a Russian government operation meant to appear as an organic pro-Russian Ukrainian movement.

2015: Cyber Caliphate

In April 2015, the French TV network TV5Monde was taken off the air by a sophisticated cyber attack; not only was the broadcast halted, but many of the network's computers were damaged as well.

The network's website was defaced by messages in which a group calling itself the "Cyber Caliphate" took credit for the attack; coming only a few months after the Charlie Hebdo attack and in the midst of France's participation in the air campaign against ISIS, the initial assumption was that this was an attack launched by the Islamic State.

But investigators quickly came to a different conclusion: The attack had been launched by Russia, and in fact was associated with APT28, the same group associated with CyberBerkut. Among the clues that pointed at Russia: the code used in the attack had been typed with a Cyrillic keyboard during the working day in Moscow and St. Petersburg.

The question of why Russia would attack a French TV station is still not clear. This was at the height of the Ukraine crisis, so the chance to humiliate a NATO power may have been tempting. The attack may have also served as a relatively low-stakes opportunity to test some new cyber attack techniques.

Read more on the next page...

Tags cyber

Show Comments