Bottom Line: In the digital age, determining the origins of cyberattacks is already difficult, but cyber actors can further muddy attribution by diverting blame for attacks to others. The intention is not necessarily to trick intelligence services – who are able to access information beyond technical forensics of the hack – but rather undermine public confidence in attribution and therefore undercut political will to respond to belligerent activity in cyberspace. This appears to be the motivation behind Russian hackers imitating North Korean hackers when attempting to disrupt the opening ceremony of the Winter Olympics in Pyeongchang, according to the Washington Post.
“The cyber incident disrupting broadcasts and attendees’ ability to join the ceremony was remarkable in that fingers quickly started moving away from pointing north to Pyongyang and instead blaming Moscow as the likely culprit. U.S. intelligence officials believe the Russian intelligence agency GRU carried out a false flag operation trying to make it look like North Korea was the source of the malicious activity.”
Background: A false flag operation – pretending to be someone else while conducting spycraft or warfare – is an age-old tactic. With the advent of cyber espionage and digital warfare, those maneuvering in the virtual domain can also conduct false flag operations.
The term false flag originated in naval warfare. It referred to ships that hoisted the flags of other nations to shift blame or confuse an enemy. Sometimes ship crews even adorned uniforms with emblems from a third nation. False flag operations in cyberspace – like those in the physical world – are difficult to identify with confidence without broader intelligence streams.
In April 2015, hackers targeted TV5Monde, corrupting and destroying internet-connected hardware that controlled the French news channel’s operations and knocking its broadcast offline. A supposedly ISIS-affiliated group calling itself the Cyber Caliphate lodged a claim of responsibility, but forensic investigators and French intelligence quickly focused their suspicions on another group – APT 28 or Fancy Bear, a group with links to Russian military intelligence, the GRU.
The TV5Monde false flag play was relatively simple. All it took was a fake online persona purporting to represent ISIS and a misleading statement of culpability. The tactic is not uncommon among threat actors, often laying blame on known criminals or hacktivists – as the Russians did with Guccifer 2.0 when breaching the Democratic National Committee to interfere in the 2016 U.S.
“In the context of cyber operations, a false flag attack means that the attacker pretends to be another actor who actually exists, rather than simply creating a fake online identity to obfuscate the attacker’s real identity. The distinction matters because, apart from hiding the attacker’s true identity, the victim might decide to use countermeasures or retaliate, in which case such reactions would target not the attacker himself, but whoever the attacker pretends to be.”
Issue: While the false flag method of claiming responsibility for a hack by using a fake online persona is effective in creating a thin veil of plausible deniability for states sponsoring malicious cyber activity, there are other, subtler or more technically convincing methods of leading investigators astray. If a number of false flags are planted in coordination, it can present a convincing portrait toward misplaced blame and possibly even retaliation.
“In cyberspace, false flag operations leave a forensic trail pointing in the wrong direction. It can be as simple as copying code already attributed to someone else or inserting a few words from another language. There are surprisingly few instance of false flag operations and those that are known can often be traced to Russia. Russia created a ‘Cyber Caliphate’ announcing jihad in cyberspace, attacking France’s Canal 5 broadcaster. Groups like DC Leaks and Guccifer 2 are Russian, and Shadowbrokers is likely Russian as well. A successful false flag operation requires more skill than people assume. The Russians have long practice in this area so it’s no surprise they tried again at the Olympics.”
One simple and fairly common method of misleading investigators is by littering the malware with comments in a language other than the native tongue of the hackers. Iranian hackers used the Hamas-affiliated Izz ad-Din al-Qassam Brigade moniker during the distributed denial of service attacks that hit U.S. financial institutions beginning in September 2012, trying to disguise the attack by including Arabic, rather than Farsi comments in the code. Misdirection through language imitation is also a tactic attempted by the Lazarus Group, which is thought to be an arm of the North Korea’s intelligence apparatus and was blamed for the December 2014 attack on Sony Pictures. The Lazarus Group is also suspected of various attacks around the world targeting the global SWIFT banking system.
But foreign language comments, particularly when mistakes are made, can also be revealing, which is why linguistic analysis is often a portion of an investigation. Pyongyang’s hackers made mistakes when writing fake Russian comments into their malware. Native Russian speakers quickly noticed these anomalies, causing experts to believe the imbroglio was a sloppy attempt by the North Koreans to finger the notorious Russian-speaking hacking community – both criminal and government. But even with sound linguistic analysis, cutouts, such as criminal proxies, or moonlighting officials could complicate attribution based solely on the language of comments within the code. Linguistic analysis of the WannaCry ransom notes – an attack formally attributed to North Korea – indicated the authors were fluent in Chinese and likely from Southern China.
Tracking where cyberattacks emanate from can also be deceiving. North Korean hackers are known to physically operate outside of its borders, launching attacks from infrastructure in third-party countries, such as China, India and elsewhere. Hackers also often breach servers in third-party countries and launch their attacks from there, all without a physical presence in that country. Tracking IP addresses to countries of origin is often only useful when seeking to determine what command and control infrastructure is used, and whether it is common among certain threat groups.
A more subtle method is to mimic the tactics, techniques and procedures of known groups. In an October 2016 report, researchers from Kaspersky Lab, a Moscow-based cybersecurity firm, explored a 2015 espionage campaign targeting the Peruvian military and other government agencies. The attackers, nicknamed TigerMilk, used a stolen digital certificate – analogous to a passport to identify legitimate software – that had originated in the Stuxnet worm, a piece of weaponized code that famously sabotaged Iranian nuclear installations. The Equation Group, the industry name for the hacking unit of the National Security Agency, originally employed the purloined certificate to gain surreptitious access to the Microsoft Windows systems. However, Microsoft had since revoked the certificate, suggesting that the actors who deployed it were not sophisticated and therefore couldn’t possibly be the NSA. By using the certificate, the hackers were seemingly trying to cast blame on the United States.
The WikiLeaks archives of alleged CIA hacking tools have led some to believe that a CIA unit called Umbrage is facilitating the agency’s false-flag operations by acquiring and repurposing commercially available hacking tools. WikiLeaks suggests the intention of repurposing tools is to imitate other actors. It’s more likely that the CIA is taking advantage of the thriving market in hacking tools to save time, rather than creating custom tools capable of the same task. The CIA wouldn’t be the only intelligence agency to buy off the shelf. Multiple actors sometimes use the same tools. The 2012 attack against Saudi Aramco and the 2014 attack against Sony Pictures had in common a disk-wiping tool called RawDisk. Yet the Saudi Aramco attack has largely been attributed to Iran, while the Sony attack was blamed on North Korea. The same is true for the EternalBlue exploit – reportedly stolen from the NSA – but used in both the WannaCry and NotPetya campaigns, which have been attributed to North Korea and Russia respectively.
“One method is to make it look as if the malicious activity originates from whomever the attacker is trying to frame, or to use malware that’s been tied to another malicious actor as part of the offensive cyber operation. This can range from using malware developed by criminals and available on the underground market to using malware that’s been developed by another state. The state-developed malware may have been become public when it was caught and analyzed by security researchers, or a state could have obtained access to the malware during an intelligence operation against the other state. The increasing commoditization of the cybercrime underground market and the modularity of offensive cyber operations facilitate this method. It is also worth noting that sophisticated actors could use hackers skilled in other languages and keyboards or who operate only during certain times that correspond with whatever time zone the actor who’s to be blamed operates in.”
Response: Intelligence services with expansive access to signals and human sources, however, often see through attempts at false flag cyber operations. While perfect attribution is difficult, the level of certainty needed in attribution largely depends on what is at stake politically. Attribution of foreign cyber campaigns is ultimately an intelligence assessment, and therefore does not require evidence that holds up beyond reasonable doubt in court – but may require enough evidence to sway the court of public opinion.
In 2010, the NSA reportedly breached the Chinese networks that connected North Korea to the outside internet, providing the NSA early warning of incoming cyber operations. This was likely why the Obama administration was so swift in its public attribution of the Sony Pictures hack to Pyongyang followed on by a series of sanctions.
Similarly, Dutch intelligence reportedly hacked the network of a Russian university in Moscow that was hosting a number of Russian intelligence operatives from the SVR, the Kremlin’s foreign intelligence branch, as they engaged in hacking operations attributed to the group known as Cozy Bear, who would later breach the networks of the DNC. The Dutch even monitored the CCTV cameras in the hall outside of the room and were able to identify individuals who came and went. But not all attribution is so clear cut.
“Very few states have the ability to attribute malicious cyber activity with a high degree of confidence. It is therefore possible that a state might try to send a signal to another state, knowing the recipient will be capable of attributing the true source, while all or most other states will not notice. This tactic obviously means the effect of such operations would be limited to avoid attracting others’ attention or to require a significant response. That’s what makes false flag operations much more a tool of spycraft than warfare.”
Looking Ahead: False flag operations can only be fought by intelligence agencies able to detect errors in the operations – whether through digital forensic investigation or human and signals intelligence collection – coupled with policymakers willing to reveal enough evidence to the public without compromising sources and methods. In democracies where political will is informed by public opinion, such false flag operations could serve to divide leaders over who to respond to, and the correct proportionality of such a response.
“I think false flag cyber operations are generally about muddying the water at least in the mind of the public. They generally don’t fool intelligence services for very long. The bottom line for Putin’s use of cyber is that there is, at the moment, no deterrence in cyberspace. Russia has a very effective array of cyber assets and they are going to continue to use that tool until we show we are willing to respond. That response can be symmetrical – responding with cyber against cyber (hack back or from state assets) or asymmetrical – additional sanctions. The problem is we are far more vulnerable to cyber risk than Russia. And Russia is happy to use its access to vast numbers of cyber mal-actors not accessible to us, to do its dirty work.”
Levi Maxey is a cyber and technology analyst at The Cipher Brief. Follow him on Twitter @lemax13. Material from this article was originally published on April 18, 2017.
No comments:
Post a Comment