What is a false flag? How state-based hackers cover their tracks

A false flag cyber attack is when a hacker or hacking group stages an attack in a way that attempts to fool their victims and the world about who's responsible or what their aims are.

The techniques used in this type of attack run a gamut that ranges from simply issuing false claims of responsibility to emulating the tools, techniques, and even languages typically used by the group or country the attackers are trying to frame.

The term false flag originated during World War I, when British and German auxiliary ships would fly the ensigns of other countries—sometimes the British would fly German flags, or vice versa—in order to deceive their enemies.

The term came to be applied to more elaborate acts of deception meant to cast political blame on opponents and allow aggressors to claim to be victims; the Japanese started its war with China in the '30s after staging a fake Chinese attack on Japanese forces, for instance, a technique that the Germans repeated when they launched their invasion of Poland and the Soviets used before beginning a war against Finland.

From there, the term entered the discourse of conspiracy theorists, who often believe terrorist attacks or mass shootings to be staged or perpetrated by the government in order to stoke fear or gain dictatorial powers.

But false flag cyber attacks are no conspiracy theory; they're a well-documented phenomenon that's become increasingly prevalent over the past five years or so.

In a false flag attack, state-based cyber attackers may pretend to be ordinary criminals, politically motivated hacktivists, or hackers backed by an entirely different country. And while several countries have engaged in this sort of attack, by the far the most prolific practitioner is Russia, via its GRU intelligence service and hackers associated with it.

The purpose of implementing a false flag attack may seem obvious: not taking the blame for sinister deeds. But casting blame on others goes beyond the usual stealthy attempt by attackers to conceal their identity.

For instance, the Stuxnet attack on Iran's nuclear program is widely believed to have been perpetrated by the United States and Israel, and while those countries haven't taken credit for it, they haven't attempted to connect anyone else to it, either.

In a false flag, pointing the finger at someone else can become a weaponised goal in and of itself, beyond the concrete results of the cyber attack.

And by generally encouraging a climate of chaos and confusion within the cyber security community, false flags make it hard for anyone to get a firm handle on objective reality.

As James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies told Wired, Russian hackers want to create a world where nobody—especially not the U.S.—can say with absolute certainty who is responsible for a cyber attack.

"They would like to create a counter-narrative: 'You can’t trust the Americans. Look, they got this wrong,'" he explains.

6 false flag attacks

These prominent attacks from the past few years show how false flag techniques work and how they have evolved.

2014: Guardians of Peace and the Sony Pictures hack

Sony Pictures was hacked in late 2014, with mountains of embarrassing internal emails, financial information, and even unreleased films being dumped onto file-sharing sites online.

Responsibility for the attack was initially claimed by a group calling itself the Guardians of Peace; while the group didn't reveal much about itself, the name was clearly meant to suggest some sort of ideologically driven and possibly even idealistic group.

This was not a theory that anyone took particularly seriously, and the lists of possible suspects included run-of-the-mill cyber criminals and disgruntled insiders.

In short order, though, fingers began pointing in another direction: North Korea, whose leader Kim Jong-Un was mocked and ultimately assassinated in the Sony comedy The Interview; the Seth Rogan film became a focus of Guardians of Peace communiques.

Only a few weeks after the attack, the FBI declared the North Korean government responsible, and security firm CrowdStrike presented evidence from code associated with the attack, including typos that matched other North Korean hacks.

North Korea has never taken responsibility for the hack, and while their guilt is almost universally acknowledged, the layer of deniability they've created presumably allows a certain amount of diplomatic face-saving.

2014-5: CyberBerkut

The Euromaidan revolution in Ukraine, which deposed a pro-Russian government and replaced it with a pro-Western one, set off a conflict with Russia that left wide swaths of the country in Russian hands and started a grinding proxy war in Ukraine's east.

Ukraine's own population was polarised into pro-western and pro-Russian factions, so it wasn't a surprise to see hacktivist groups emerge on the pro-Russian end of the spectrum.

CyberBerkut was one of the most prominent; it launched DDoS attacks on NATO websites and hacked into Ukrainian government computers to leak sensitive information about covert US involvement in the conflict.

The leaks mixed real embarrassing info with doctored documents that made the EU, the US, and the Ukrainian government look even worse to create an anti-western propaganda mélange. The initial take on CyberBerkut from F-Secure was that "they’re Ukrainians ... It’s a voluntary cyber offensive unit that’s not closely affiliated with any government."

That assessment did not hold up. CyberBerkut achieved many of its breaches via phishing attacks that snagged victims' passwords, and an analysis by Citizens Lab found that the shortened URLs used in these emails were adjacent to those used in attacks that had nothing to do with the Ukrainian conflict, but were perpetrated by Russian intelligence.

In all probability, CyberBerkut is an "astroturfing" group, a Russian government operation meant to appear as an organic pro-Russian Ukrainian movement.

2015: Cyber Caliphate

In April 2015, the French TV network TV5Monde was taken off the air by a sophisticated cyber attack; not only was the broadcast halted, but many of the network's computers were damaged as well.

The network's website was defaced by messages in which a group calling itself the "Cyber Caliphate" took credit for the attack; coming only a few months after the Charlie Hebdo attack and in the midst of France's participation in the air campaign against ISIS, the initial assumption was that this was an attack launched by the Islamic State.

But investigators quickly came to a different conclusion: The attack had been launched by Russia, and in fact was associated with APT28, the same group associated with CyberBerkut. Among the clues that pointed at Russia: the code used in the attack had been typed with a Cyrillic keyboard during the working day in Moscow and St. Petersburg.

The question of why Russia would attack a French TV station is still not clear. This was at the height of the Ukraine crisis, so the chance to humiliate a NATO power may have been tempting. The attack may have also served as a relatively low-stakes opportunity to test some new cyber attack techniques.

Read more on the next page...

Page Break

As for the false flag aspect of the attack, Russia was also locked in a conflict with ISIS, so deflecting attention to a mutual enemy may have been intended to throw investigators off the scent.

2017: NotPetya

In 2016, IT staff around the world were annoyed and occasionally stymied by a ransomware program that was dubbed Petya.

Despite a few innovative features, Petya was a fairly typical representative of its type: spread by phishing emails, if executed it would encrypt a victim's hard drive and demand a bitcoin ransom. It didn't make that much of a splash.

But in mid-2017, a much more virulent version emerged, different enough from the original that it earned the name NotPetya from security analysts. NotPetya could spread on its own via the EternalBlue exploit first developed by the NSA.

And most bizarrely, it encrypts the victim's computer and demands a bitcoin ransom, just like Petya—only the bitcoin wallet address it provides is just a random number. There's no actual way to pay anyone to restore your computer.

NotPetya is thus a false flag: a purely destructive piece of malware disguised as a marginally more benign ransomware tool. The identity of the perpetrator became clear when NotPetya's initial attack vector was tracked down: it initially entered the cyber-ecosystem via a back door installed in M.E.Doc, an accounting application that's extremely popular and widespread in Ukraine.

Researchers believe that it was Russian attack that intended to wreak havoc on Ukraine's systems, masquerading as a version of a pre-existing malware so as not to draw too much attention.

Unfortunately, NotPetya spread so quickly that it went far beyond its initial target, creating chaos across Europe—and prompting scrutiny from the security community.

2018: Olympic Destroyer

Although it was barely visible to viewers around the world, the opening ceremonies of the 2018 Winter Olympics in Pyeongchang, South Korea, grappled with disaster.

The Olympics IT infrastructure was hit by a major cyber attack that brought down Wi-Fi in the stadium where the ceremony was taking place and crashed the ability for attendees to print tickets or stadium staff to scan them. Only a herculean effort by the infosec team got everything up and running again by the time the Games began in earnest the next day.

Who was behind the attack? The malware, it turns out, had been deliberately obfuscated under layers of false flags, some of which pointed to China, but others to two countries with more obvious grudges against South Korea and the Games: North Korea, the South's rival for dominance on the peninsula, and Russia, whose athletes had been forced to compete under a neutral flag due to a widespread doping scandal.

Eventually, Russia was fingered by security researchers who zeroed in on two clues.

In one case, some of the malware header metadata indicated that the code had been written in North Korea, but the header demonstrably didn't match up with the characteristics of the code itself.

And the tainted Word file that had been downloaded from phishing emails to initially infect the Olympic systems had strong similarities to documents that had been used to attack Ukrainian LGBT groups the previous year—a fairly obvious Russian target.

2019: Turla and Oilrig

Earlier, we discussed Russia masquerading as an Islamic jihadist group in its attack on a French TV station.

A report released last year reveals an even more insidious move: a Russian hacking group known as Turla took control of many of the systems of an Iranian hacking group known as Oilrig, apparently without the Iranians' knowledge or consent.

Turla could take advantage of breaches Oilrig had already established around the world and implant backdoors or other toolkits, which could then be exploited from Turla's own infrastructure. 

This is in some ways the ultimate false flag. Instead of a boat flying another nation's colours, you have a boat flying its own flag—but then an enemy takes control of its navigation, without its crew even knowing what's happening.

The tip of the iceberg

We've focused on Russian attacks here because they really are among the most widely known. Clearly it's a popular technique in Russia—but are they overrepresented in the public mind because of fascination with the Russian bogeyman, or because other countries don't get caught as often?

Surely other nations are capable of the same sorts of attacks. In 2017 Wikileaks revealed a CIA tool called Marble that could alter code to make it look like it had a non-US country of origin, though most security experts agree that Marble is a straightforward code obfuscation program that couldn't really create a false flag.

Meanwhile, in December 2019 revelations came that an Indian nuclear plant was hacked by code that seems to have come from North Korea—except most people don't know what reason North Korea would have to hack an Indian nuclear plant. One thing that is for sure is how scary this threat landscape is.