False flags in cyber intrusions – why bother?

False flags in cyber intrusions – why bother?
Stewart K. Bertram
Read More From Stewart K. Bertram
August 17, 2016 | 3 Min Read

False flag operations have long existed in the physical world, a tactic used to make an operation appear to have been planned and executed by someone other than the real perpetrator. For example, Operation Northwoods was a plan concocted by the US Central Intelligence Agency (and later vetoed by President Kennedy) to provoke an invasion of Cuba through multiple false flags of supposed examples of Cuban aggression. Of course false flags as a tactic isn’t limited to the physical world – false flags similarly exist with cyber intrusions. But why would an attacker bother to create a false flag within a cyber intrusion in the first instance?

Digging a little deeper into the concept of a false flag operation shows that the intent of the actor behind the operation is to do one of two things:

  1. To falsely implicate an innocent third party as the deliberate goal of the operation.
  2. To implicate the third party in an effort to obscure the true perpetrator of the action.

The difference – although subtle – is profound. The success criteria in the two different cases is fundamentally different; in one you let a third party take the blame, whereas in the other you hide your own actions.

If an attacker deliberately wishes to falsely attribute the blame to a third party, then this implies a level of malice that is not typically featured within the analysis of cyber intrusions. It also implies that the true perpetrator of the intrusion is fully aware of the impact that the attribution will have on the victim from a successful false attribution.

If the false flag is used to hide the true identity of the hacker by attributing the attack to another party, then this implies that the true perpetrator of the attack was aware that the intrusion would be discovered at some point. While the effects of a cyber attack are obvious (particularly in the case of an intrusion that causes physical damage), detection of an intrusion is not always 100% assumed. In the case of a stealth cyber espionage campaign, the presence of false flags implies a further level of operational sophistication above and beyond the core technical skills displayed by the attacker.

The conclusion of this short examination of false flags is that their use within a cyber context should be treated differently from their use within a physical context. Furthermore the assessed presence within a cyber intrusion should be viewed as an additional indicator of both malice and sophistication.

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us

Related Posts

Threats to Asset and Wealth Management in 2020-2021

Threats to Asset and Wealth Management in 2020-2021

January 21, 2021 | 10 Min Read

Note: Our findings in this blog stem from...
Azure AD: Auto Validate Exposed Credentials

Azure AD: Auto Validate Exposed Credentials

January 19, 2021 | 3 Min Read

SearchLight customers can now automatically...
ShadowTalk Update: Sunburst, Sunspot, and more on SolarWinds!

ShadowTalk Update: Sunburst, Sunspot, and more on SolarWinds!

January 18, 2021 | 3 Min Read

ShadowTalk hosts Alec, Charles, Austin, and...