The false flag tactic originated in naval combat in the days of yore. Flags were used to communicate between fleet assets before and during combat; a ship's identity was important, especially when gun smoke filled the air. Flying the enemy's banner during combat, along with flags displaying false messaging, could confuse and mislead the enemy.
How do advanced cyber attackers use false flag tactics in cyber campaigns? They include code segments that imply different origins, change file creation timestamps to fit other regions' workdays, and plant words in different languages in the code itself.
No ship required
Threat actors use several false flag tactics. The objective is simple: to present security researchers with a red herring to throw them off track. These false flags can be code, modus operandi or location-related. The attackers might use another group's malware, tactics or targets; the malware code might contain strains of a particular language; and the computer's clock might be reset to show file creation times fitting another country's working hours. All of these tactics can cause quite a mess for researchers and buy precious time for threat actors, allowing them to look for OPSEC risks and continue their operation.
The CloudAtlas group, for example, used all of the above tactics. They used the same phishing lure used by the Russian Red October group (a message about a diplomat’s car for sale). They also used a Chinese malware, and another malware containing strings written in Hindi and Arabic. Some of their methods simply stood out as obvious false flags – in one case, the cyber attackers sent documents in Spanish to Russian targets.
Why do cyber Attackers do this? The reason is not fear of attribution, Countries who run cyber espionage campaigns will always have plausible deniability on their side to avoid international embarrassment. Advanced criminal gangs operate using bulletproof hosting and ever-changing tools, and as a result are very hard to locate and apprehend. The goal of every anti-InfoSec tactic is to keep the operation going: advanced malware is very expensive and an operator who loses their malware might forfeit an entire operation.
The human factor
While they are more agile than the security industry in general, threat actors have limitations, some of which are the same limitations experienced by their adversaries – like the possibility of human error. Many cyber attackers use advanced programming techniques to create the right tool for the right operation, but sometimes they overlook small details and make very basic mistakes. For example, the Deep Panda group changed file creation dates, but forgot to check their calendars: some of the files were dated as being created after the attack itself took place. The Hellsing group used some of the PlayfullDragon group's C2 infrastructure, and similar characteristics as the Vixen Panda group. Unlike the CloudAtlas case, these were simpler to spot and the attack could be blocked.
Kaspersky’s researchers note that more threat actors are using false flags nowadays than ever before, and that this trend will probably continue. But not all threat actors have the same attention to detail, or access to the right resources to avoid making mistakes. Therefore, researchers should tread carefully when analyzing new cyber attacks that look familiar. They should also try to fingerprint the false flags themselves, as these flags can give valuable information about an attacking group's modus operandi, which might make it easier to identify these groups in future attacks.