Security Experts:

Connect with us

Hi, what are you looking for?


Tracking & Law Enforcement

False Flags and Mis-Direction in Hacker Attribution

Dangers of False Flags and Hacking Attribution

Dangers of False Flags and Hacking Attribution

On October 7, 2016 the U.S. government officially called out Russia and accused it of involvement in cyber attacks against American political organizations. Two days prior, at the Virus Bulletin (VB) Conference, Kaspersky Lab researchers presented a paper on the problems of attribution: Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks

Cyber attack attribution has long been a thorny problem. It is difficult to develop norms of international cyber behavior if attackers can hide behind plausible deniability. Microsoft recently proposed an independent international committee of experts to ascribe responsibility. The Kaspersky paper, however, questions whether absolute attribution is even possible.

The paper, written by researchers Brian Bartholomew and Juan Andres Guerrero-Saade, seeks to “prove a cautionary tale”. At a time when the Obama administration warns Russia that “We will take action to protect our interests, including in cyberspace, and we will do so at a time and place of our choosing,” Kaspersky Lab warns that misattribution can have a heavy cost. 

To be clear, Kaspersky is not saying that America is wrong in blaming Russia — it is simply saying that attribution is difficult. Like all conference papers, this one was written months ago. Its timing now is purely coincidental. Indeed, in separate conversation, Guerrero-Saade told SecurityWeek that if any organizations are equipped to accurately attribute attacks, it is the large nation signals intelligence agencies; that is, governments, because they have access to a much wider range of communications than is available to researchers and research private companies.

The paper (PDF) first discusses the means by which researchers seek to identify perpetrators. These range from the infrastructure and backend connections used, the toolkits (including timestamps, reuse of existing code, language clues, and even re-used passwords within the attack), to motivation (who is the target). This makes attribution of attacks to specific attack groups relatively easy. The real difficulty comes in attributing those groups to geopolitical regions and/or nation state sponsors.

The paper discusses examples of this difficulty, including Cloud Atlas and Turla. Of particular interest, however, are Sofacy, TigerMilk and Wild Neutron.

Sofacy is also known as APT28, Pawn Storm, Tsar Team, and Fancy Bear. Two years ago, FireEye linked APT28 to Russia. In October 2016, Crowdstrike linked the DNC hacks to Fancy Bear, and therefore Russia.

While Sofacy, APT28 and Fancy Bear are different names for the same group, Kaspersky believes that a number of ‘separate’ groups are also Sofacy. One of these is CyberCaliphate. CyberCaliphate first appeared at the end of 2014 when it took control of the Albuquerque Journal’s mobile application, and broadcast propaganda; and followed this in January by seizing control of the United States Central Command (USCENTCOM)’s Twitter and YouTube accounts. The world believed that a new pro-ISIS hacking group had arrived.

When French TV station TV5Monde was hacked and almost destroyed in April 2015, CyberCaliphate claimed responsibility. Since it had an established presence this was at first accepted as the likely explanation. A few months later FireEye found that an IP address associated with Sofacy had been used, and blame switched from CyberCaliphate to Sofacy (and by implication, Russia). Kaspersky believes, however, that CyberCaliphate and Sofacy are the same group.

“It is believed,” write Guerrero-Saade and Bartholomew, “that CyberCaliphate was created to provide the Sofacy actors a way to conduct psychological operations against certain targets of interest while providing a level of plausible deniability.” Given that Russia has sided with the Syrian government against ISIS, it is far from an automatic assumption to describe CyberCaliphate as Russia.

In fact, Kaspersky also links CyberBerkut and the Yemen Cyber Army groups to Sofacy. The unspoken danger is that if the identity of one hacking group can be misrepresented as a false flag, then so could any hacking group.

TigerMilk is not so well known. Its inclusion here is based on one surprising fact: it employs the same digital certificate as the one used in the Stuxnet attack against Iran. “As such,” says the paper, “the only imaginable value of signing these samples with this particular certificate is to fool incident responders and researchers into casting blame on the notorious Stuxnet team for an attack on Peruvian military and government institutions.”

Wild Neutron is a group surrounded by mystery — nobody knows who it is. This is because of a widely differing range of targets and a “hodgepodge of indicators”. One suggestion is that it is a highly competent mercenary group that attacks to order. This raises a completely different attribution complexity: state sponsors could employ mercenary hacking groups to obfuscate their own involvement.

stated purpose of this paper is not to deny the possibility of accurate attribution, but to describe the difficulties and dangers in doing so.

“In place of a summary conclusion,” say the authors, “we instead leave open questions in need of deeper reflection, on the part of both producers and consumers of threat intelligence, to serve as our final takeaways in furthering a much needed conversation.”

Those questions are: What is solid attribution? What is actually needed? Who can really do attribution? and Who are you hacking back?

Related: Microsoft Proposes Independent Body to Attribute Cyber Attacks

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


Spanish Court agreed to extradite Joseph James O’Connor to he U.S., who allegedly took part in the July 2020 hacking of Twitter accounts of...


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


A hacker who reportedly posed as the CEO of a financial institution claims to have obtained access to the more than 80,000-member database of...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...


Russian Vladislav Klyushin made tens of millions of dollars by hacking into U.S. computer networks to steal insider information.