Minimize your digital risk by detecting data loss, securing your online brand, and reducing your attack surface.
A powerful, easy-to-use search engine that combines structured technical data with content from the open, deep, and dark web.
Digital Risk Protection
Read our new practical guide to reducing digital risk.
New report recognizes Digital Shadows for strongest current offering, strategy, and market presence of 14 vendors profiled
Read Full Report
False flag operations have long existed in the physical world, a tactic used to make an operation appear to have been planned and executed by someone other than the real perpetrator. For example, Operation Northwoods was a plan concocted by the US Central Intelligence Agency (and later vetoed by President Kennedy) to provoke an invasion of Cuba through multiple false flags of supposed examples of Cuban aggression. Of course false flags as a tactic isn’t limited to the physical world – false flags similarly exist with cyber intrusions. But why would an attacker bother to create a false flag within a cyber intrusion in the first instance?
Digging a little deeper into the concept of a false flag operation shows that the intent of the actor behind the operation is to do one of two things:
The difference – although subtle – is profound. The success criteria in the two different cases is fundamentally different; in one you let a third party take the blame, whereas in the other you hide your own actions.
If an attacker deliberately wishes to falsely attribute the blame to a third party, then this implies a level of malice that is not typically featured within the analysis of cyber intrusions. It also implies that the true perpetrator of the intrusion is fully aware of the impact that the attribution will have on the victim from a successful false attribution.
If the false flag is used to hide the true identity of the hacker by attributing the attack to another party, then this implies that the true perpetrator of the attack was aware that the intrusion would be discovered at some point. While the effects of a cyber attack are obvious (particularly in the case of an intrusion that causes physical damage), detection of an intrusion is not always 100% assumed. In the case of a stealth cyber espionage campaign, the presence of false flags implies a further level of operational sophistication above and beyond the core technical skills displayed by the attacker.
The conclusion of this short examination of false flags is that their use within a cyber context should be treated differently from their use within a physical context. Furthermore the assessed presence within a cyber intrusion should be viewed as an additional indicator of both malice and sophistication.