How do advanced cyber attackers use false flag tactics in cyber campaigns? They include code segments that imply different origins, change file creation timestamps to fit other regions’ workdays, and plant words in different languages in the code itself.
The CloudAtlas group, for example, used all of the above tactics. They used the same phishing lure used by the Russian Red October group (a message about a diplomat’s car for sale). They also used a Chinese malware, and another malware containing strings written in Hindi and Arabic. Some of their methods simply stood out as obvious false flags – in one case, the cyber attackers sent documents in Spanish to Russian targets.
Why do cyber Attackers do this? The reason is not fear of attribution, Countries who run cyber espionage campaigns will always have plausible deniability on their side to avoid international embarrassment. Advanced criminal gangs operate using bulletproof hosting and ever-changing tools, and as a result are very hard to locate and apprehend. The goal of every anti-InfoSec tactic is to keep the operation going: advanced malware is very expensive and an operator who loses their malware might forfeit an entire operation.
The human factor
While they are more agile than the security industry in general, threat actors have limitations, some of which are the same limitations experienced by their adversaries – like the possibility of human error. Many cyber attackers use advanced programming techniques to create the right tool for the right operation, but sometimes they overlook small details and make very basic mistakes. For example, the Deep Panda group changed file creation dates, but forgot to check their calendars: some of the files were dated as being created after the attack itself took place. The Hellsing group used some of the PlayfullDragon group’s C2 infrastructure, and similar characteristics as the Vixen Panda group. Unlike the CloudAtlas case, these were simpler to spot and the attack could be blocked.
Kaspersky’s researchers note that more threat actors are using false flags nowadays than ever before, and that this trend will probably continue. But not all threat actors have the same attention to detail, or access to the right resources to avoid making mistakes. Therefore, researchers should tread carefully when analyzing new cyber attacks that look familiar. They should also try to fingerprint the false flags themselves, as these flags can give valuable information about an attacking group’s modus operandi, which might make it easier to identify these groups in future attacks.