Examining the use and effects of false flags in nation state cyberattacks, and how geopolitical analysis may be add value to attribution efforts.
By Amy Ertan
‘The Problem of Attribution’
The problems with cyber attribution form a labyrinth that continue to trouble all those involved in cyber defence and wider security. The challenges determining what has taken place, to whom and by whom is an process that lacks repeatability and often any clear solution. Nonetheless, the value of attribution makes it an indispensable exercise on which to concentrate resources. Without the ability to tie a cyber-attack to an individual, group or nation state, there can be no political or legal enforcement of regulation or counter-action. This represents a huge limitation on international relations where cyber activity continues to grow, influencing diplomacy and conflict. What some may consider a technical investigation has, therefore, shown itself to be a major geopolitical problem. As Thomas Rid summarises, ‘attribution is what states make of it’.
Introducing False Flags
Attacks involving nation state actors involve unique challenges that further complicate attribution attempts. Amongst other factors, the use of ‘false flags’, where an attacker pretends to be someone other than themselves, is a tactic to ‘frame’ other threat actors. A false flag operation could be as simple as malicious ‘marketing’, inserting imagery appearing to show another threat actor claiming responsibility. It could also be as simple as inserting other languages into payload headers or malware. From 2012, Iranian hackers used Arabic rather than Farsi when attacking US banks, while suspected North Korean state-sponsored Lazarus group is often known for attempting language imitation. As well as enabling attackers to avoid detection, false flags may be used as a form of manipulation, directing the victim’s attention to potentially target third-party actors. Should investigators of an event fail to realise that the false flags are not genuine hints, they may incorrectly attribute an attack, which may extend to misdirected retribution.
Nation State Case Study: Russia
False flag operations are not a new aspect of Russian military strategy. The justification for deception can be explored through Russian military doctrines such as ‘provokatsiya’, (‘provocation’), whereby agents act surreptitiously to cause secret political effects, helping Moscow whilst damaging Moscow’s enemies. Further doctrine ‘maskirovka’ specifically concerns deceiving victims while also hiding the true intent of operations, complementing the ‘konspiritsiya’ (‘conspiracy’) doctrine and Russian espionage tradecraft. Themes displayed most obviously through and beyond the Cold War period, it is perhaps unsurprising that intelligence tactics have led to cyber false flags acting as ‘the Kremlin’s hidden cyber hand’. These tactics assist in furthering Russian geopolitical goals, typically through attacks against Western governments. Interference in elections are a clear example, with French and US elections compromised to suspected Russian actors. Similarly the NotPetya attacks, which the US, UK, Canada, Australia and New Zealand publically attributed to Russia, may be understood as part of a wider Russian state disregard for Ukranian sovereignty.
In 2015, ‘Cyber Caliphate’ jihadist propaganda flooded TV-Monde’s social media during a destructive cyberattack, an act ultimately traced back to Russian-based ‘Fancy Bear’, a group with links to Russian military intelligence. The flag was relatively simple: creating a fake online persona, a tactic mirrored by separate Russian threat actors with the ‘Guccifer 2.0’ persona in the 2016 DNC hack. These examples highlight a few Russian threat actors using false flags, alongside DC Leaks and Shadowbrokers.
In the 2018 Winter Olympics, Olympics IT systems were temporary disabled, with WiFi, monitors and the Olympics website unavailable. Analysts concluded Russian actors used North Korean IP addresses and attempted to forge malware used by Lazarus Group, a flag uncovered due to an error forced header. Analysts looked beyond the technical information to argue that the attack was designed to gain attention, where perpetrators ‘wanted to be discovered… as Lazarus Group’, concluding this attack was likely ‘setting the stage’ for further campaigns. Russia’s actions were assumed to link with their enforced non-participation in the event, alongside wider geopolitical tensions.
A Strategic Approach
Attribution capabilities are currently highly asymmetric, with only a handful of states thought to be capable of successfully attributing cyberattacks with high confidence. Given typical characteristics of false flag indicators, technical analysis is necessary but not sufficient when attempting attribution, for three reasons. Firstly, it is unreliable to be dependent on attackers making errors when determining whether evidence is a false flag. Errors such as poor language translation are unlikely to be repeated frequently in the long-term, given the capabilities of nation states dedicated to achieving cyber goals. Secondly, nation states and state-sponsored groups represent the most able threat actors. As offensive actors, states will often have multiple cyber units, alongside distributed command-and-control servers and resources to continually update sophisticated evasion techniques. It is expected this makes them considerably harder to detect and attribute against, compared with less skilled, purely criminal counterparts. Finally technical indicators of compromise for a cyber incident are often identical whether the event was a malicious cyberattack or not. Technical analysis, even if conducted by the most sophisticated and capable of actors, may not reveal information that proves itself to be actionable intelligence.
To understand false flag operations driven by nation-state actors, one must understand the context in which the attack took place. Professor Thomas Wingfield argues that ‘strategic attribution – fusing all sources of intelligence on a potential threat – allows a much higher level of confidence and more options … strategic attribution begins and ends with geopolitical analysis.’ Geopolitical threat profiling and strategic intelligence functions therefore become entwined with the technical attribution operation.
As Symantec security analyst Vikram Thakur neatly summarises, ‘We think the future is going to get even more complicated with actors relying more and more on false flags… throwing another group [under] the bus from an attribution standpoint.’ False flags are a tool for nation states. Not only can they deceive, misdirecting attention from an attack, but they can change agendas, create imaginary threats, or be used to communicate between states who can detect subtle flags (versus those who cannot). It is a task that matters – NATO CCDCOE stressed that without sufficient attribution, there cannot be official consequences. Getting to grips with the challenges and counter-approaches to an attack is a task that will weigh heavily in the context of rising geopolitical tensions observable today across the globe.
Amy Ertan is a PhD researcher within the Centre for Cyber Security at Royal Holloway, University of London. Amy previously studied Philosophy, Politics and Economics at the University of Oxford, where she first developed an interest in international security. Amy was part of the winning team in Atlantic Council’s international relations / cyber security 9/12 competition, and was also awarded Cyber Security Student of the Year at the 2018 SC Media Awards. Her main research interests continue to focus on international relations and cyber-warfare, as well as emerging cyber security threats relating to artificial intelligence.
Image Source: https://www.123rf.com/photo_67396671_russia-spying-on-america-russian-hackers-threaten-us-computer-networks.html