Welcome to the frustratingly deceptive age of hacking attribution. While the subterfuge is often all about a game of cat-and-mouse or to throw authorities off the trail of the real attackers, it can be an especially dangerous game when it comes to sometime attempting to incite conflict between the victim organization or nation, and the supposed attackers. Hackers posing as other hackers can basically encourage conflict among other nations or organizations, experts say, and sit back and watch.
The trouble with so-called cyberwar and targeted attacks like the recent one against Saudi Aramco is that the attackers who claim responsibility for the deed may be posing as another nation or group in order to incite conflict between other nations or groups.
"It's very easy to attack some group of people or some country and make it look like it came from another country. You can engage them into cyberwar via a third party," says Cesar Cerrudo, CTO for IO/Active Labs.
Take the hack that took down China's Baidu search engine in early 2010. A group claiming to be the Iranian Cyber Army said it had downed Baidu, prompting retaliatory hacks by Chinese hackers against Iranian sites. "The Chinese were surprised that Iranians had attacked them," he says. "After that, the Chinese attacked Iran."
But it turns out it wasn't actually Iran behind the Baidu attack, Cerrudo says. "Someone else attacked the Chinese to get them to attack the Iranians. Maybe it was a test or some sort of experiment," he says.
Cerrudo, who delivered a presentation last week at the Ekoparty conference in Buenas Aires on the problem of these so-called "false flag" attacks and the myths and truths about cyberwarfare, says the difficulty in confirming who's behind what attacks often leads to the spread of disinformation about cyberwarfare and cyberweapons.
"There is a lot of things published that is not real and doesn't have any hard evidence behind it. Then people start repeating the same [information] and then you start to realize ... it's nonsense or is wrong. There are many hidden agendas and manipulation behind" some high-profile attacks, he says.
Some nations basically use that model to manipulate the public perception or to elicit a response from the victim organization to retaliate against the attacker's enemy, for example, he says. Or they are looking to hide their activities.
Joe Stewart, director of malware research for Dell SecureWorks, says cyberespionage attackers often use subterfuge. "They use a fair amount of subterfuge, trying to relay their traffic through third-party hacked servers in whatever country they might be in," Stewart says. "We also see plenty of activity not being relayed, also. Lots of command and control is hosted right here on Chinese IP addresses. [Those attackers] don't care about attribution – it's kind of an open secret. They care more about getting around firewall controls and access control lists."
[Insight into key characteristics, behaviors of cybercrime versus cyberespionage attackers can help -- but the threats aren't just from China and Eastern Europe. See Profiling The Cybercriminal And The Cyberspy.]
Meanwhile, while superpowers such as the U.S. are investing big bucks in cyberwarfare and defense, they're spending more than they should, IOActive's Cerrudo says. "It's just software," hey says. "It may be more expensive if you have good researchers who find new attack techniques or zero-days. But in the end, it's just software."
This lower barrier to entry makes it possible for small nations with little or no cyberweapon budget to participate in cyberwarfare as well, he says. One model: a nation could select top university talent and train those students in exchange for having them work on cyberweapon-type projects, he says.
And look for cyber-mercenaries to become the next potential threat, Cerrudo says. Cybercrime has spawned a new generation of skilled hackers as well as established botnet infrastructures and other tools that easily could be used in militia-for-hire type scenarios by malicious nation-states or other bad actors.
"In the future, we might see cyber mercenaries and militias" who work for whoever pays them to go after groups of people or governments, he says. "It could be anyone or even could be government -- but you couldn't prove it."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.