What is a false flag? How state-based hackers cover their tracks

What is a false flag? How state-based hackers cover their tracks

False flags are a favourite technique of cyber attackers connected to Russian intelligence, but they don't have a monopoly on the practice

Credit: Dreamstime

As for the false flag aspect of the attack, Russia was also locked in a conflict with ISIS, so deflecting attention to a mutual enemy may have been intended to throw investigators off the scent.

2017: NotPetya

In 2016, IT staff around the world were annoyed and occasionally stymied by a ransomware program that was dubbed Petya.

Despite a few innovative features, Petya was a fairly typical representative of its type: spread by phishing emails, if executed it would encrypt a victim's hard drive and demand a bitcoin ransom. It didn't make that much of a splash.

But in mid-2017, a much more virulent version emerged, different enough from the original that it earned the name NotPetya from security analysts. NotPetya could spread on its own via the EternalBlue exploit first developed by the NSA.

And most bizarrely, it encrypts the victim's computer and demands a bitcoin ransom, just like Petya—only the bitcoin wallet address it provides is just a random number. There's no actual way to pay anyone to restore your computer.

NotPetya is thus a false flag: a purely destructive piece of malware disguised as a marginally more benign ransomware tool. The identity of the perpetrator became clear when NotPetya's initial attack vector was tracked down: it initially entered the cyber-ecosystem via a back door installed in M.E.Doc, an accounting application that's extremely popular and widespread in Ukraine.

Researchers believe that it was Russian attack that intended to wreak havoc on Ukraine's systems, masquerading as a version of a pre-existing malware so as not to draw too much attention.

Unfortunately, NotPetya spread so quickly that it went far beyond its initial target, creating chaos across Europe—and prompting scrutiny from the security community.

2018: Olympic Destroyer

Although it was barely visible to viewers around the world, the opening ceremonies of the 2018 Winter Olympics in Pyeongchang, South Korea, grappled with disaster.

The Olympics IT infrastructure was hit by a major cyber attack that brought down Wi-Fi in the stadium where the ceremony was taking place and crashed the ability for attendees to print tickets or stadium staff to scan them. Only a herculean effort by the infosec team got everything up and running again by the time the Games began in earnest the next day.

Who was behind the attack? The malware, it turns out, had been deliberately obfuscated under layers of false flags, some of which pointed to China, but others to two countries with more obvious grudges against South Korea and the Games: North Korea, the South's rival for dominance on the peninsula, and Russia, whose athletes had been forced to compete under a neutral flag due to a widespread doping scandal.

Eventually, Russia was fingered by security researchers who zeroed in on two clues.

In one case, some of the malware header metadata indicated that the code had been written in North Korea, but the header demonstrably didn't match up with the characteristics of the code itself.

And the tainted Word file that had been downloaded from phishing emails to initially infect the Olympic systems had strong similarities to documents that had been used to attack Ukrainian LGBT groups the previous year—a fairly obvious Russian target.

2019: Turla and Oilrig

Earlier, we discussed Russia masquerading as an Islamic jihadist group in its attack on a French TV station.

A report released last year reveals an even more insidious move: a Russian hacking group known as Turla took control of many of the systems of an Iranian hacking group known as Oilrig, apparently without the Iranians' knowledge or consent.

Turla could take advantage of breaches Oilrig had already established around the world and implant backdoors or other toolkits, which could then be exploited from Turla's own infrastructure. 

This is in some ways the ultimate false flag. Instead of a boat flying another nation's colours, you have a boat flying its own flag—but then an enemy takes control of its navigation, without its crew even knowing what's happening.

The tip of the iceberg

We've focused on Russian attacks here because they really are among the most widely known. Clearly it's a popular technique in Russia—but are they overrepresented in the public mind because of fascination with the Russian bogeyman, or because other countries don't get caught as often?

Surely other nations are capable of the same sorts of attacks. In 2017 Wikileaks revealed a CIA tool called Marble that could alter code to make it look like it had a non-US country of origin, though most security experts agree that Marble is a straightforward code obfuscation program that couldn't really create a false flag.

Meanwhile, in December 2019 revelations came that an Indian nuclear plant was hacked by code that seems to have come from North Korea—except most people don't know what reason North Korea would have to hack an Indian nuclear plant. One thing that is for sure is how scary this threat landscape is.

Tags cyber

Show Comments