Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:39 PM
Connect Directly

Attackers Engage In 'False Flag' Attack Manipulation

When hackers posing as other hackers encourage conflict among other nations or organizations

Just because someone claiming to be the Iranian Cyber Army claims responsibility in a Pastebin post for a targeted attack doesn't necessarily mean they did it – nor that the group boasting about the attack is really the so-called Iranian Cyber Army.

Welcome to the frustratingly deceptive age of hacking attribution. While the subterfuge is often all about a game of cat-and-mouse or to throw authorities off the trail of the real attackers, it can be an especially dangerous game when it comes to sometime attempting to incite conflict between the victim organization or nation, and the supposed attackers. Hackers posing as other hackers can basically encourage conflict among other nations or organizations, experts say, and sit back and watch.

The trouble with so-called cyberwar and targeted attacks like the recent one against Saudi Aramco is that the attackers who claim responsibility for the deed may be posing as another nation or group in order to incite conflict between other nations or groups.

"It's very easy to attack some group of people or some country and make it look like it came from another country. You can engage them into cyberwar via a third party," says Cesar Cerrudo, CTO for IO/Active Labs.

Take the hack that took down China's Baidu search engine in early 2010. A group claiming to be the Iranian Cyber Army said it had downed Baidu, prompting retaliatory hacks by Chinese hackers against Iranian sites. "The Chinese were surprised that Iranians had attacked them," he says. "After that, the Chinese attacked Iran."

But it turns out it wasn't actually Iran behind the Baidu attack, Cerrudo says. "Someone else attacked the Chinese to get them to attack the Iranians. Maybe it was a test or some sort of experiment," he says.

Cerrudo, who delivered a presentation last week at the Ekoparty conference in Buenas Aires on the problem of these so-called "false flag" attacks and the myths and truths about cyberwarfare, says the difficulty in confirming who's behind what attacks often leads to the spread of disinformation about cyberwarfare and cyberweapons.

"There is a lot of things published that is not real and doesn't have any hard evidence behind it. Then people start repeating the same [information] and then you start to realize ... it's nonsense or is wrong. There are many hidden agendas and manipulation behind" some high-profile attacks, he says.

Some nations basically use that model to manipulate the public perception or to elicit a response from the victim organization to retaliate against the attacker's enemy, for example, he says. Or they are looking to hide their activities.

Joe Stewart, director of malware research for Dell SecureWorks, says cyberespionage attackers often use subterfuge. "They use a fair amount of subterfuge, trying to relay their traffic through third-party hacked servers in whatever country they might be in," Stewart says. "We also see plenty of activity not being relayed, also. Lots of command and control is hosted right here on Chinese IP addresses. [Those attackers] don't care about attribution – it's kind of an open secret. They care more about getting around firewall controls and access control lists."

[Insight into key characteristics, behaviors of cybercrime versus cyberespionage attackers can help -- but the threats aren't just from China and Eastern Europe. See Profiling The Cybercriminal And The Cyberspy.]

Meanwhile, while superpowers such as the U.S. are investing big bucks in cyberwarfare and defense, they're spending more than they should, IOActive's Cerrudo says. "It's just software," hey says. "It may be more expensive if you have good researchers who find new attack techniques or zero-days. But in the end, it's just software."

This lower barrier to entry makes it possible for small nations with little or no cyberweapon budget to participate in cyberwarfare as well, he says. One model: a nation could select top university talent and train those students in exchange for having them work on cyberweapon-type projects, he says.

And look for cyber-mercenaries to become the next potential threat, Cerrudo says. Cybercrime has spawned a new generation of skilled hackers as well as established botnet infrastructures and other tools that easily could be used in militia-for-hire type scenarios by malicious nation-states or other bad actors.

"In the future, we might see cyber mercenaries and militias" who work for whoever pays them to go after groups of people or governments, he says. "It could be anyone or even could be government -- but you couldn't prove it."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-28
An XSS vulnerability in the auto-complete function of the description field (for new or edited transactions) in Firefly III before 5.4.5 allows the user to execute JavaScript via suggested transaction titles. NOTE: this is exploitable only in a non-default configuration where Content Security Policy...
PUBLISHED: 2020-10-28
Gophish before 0.11.0 allows the creation of CSV sheets that contain malicious content.
PUBLISHED: 2020-10-28
Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the Host field on the send profile form.
PUBLISHED: 2020-10-28
Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via a crafted landing page or email template.
PUBLISHED: 2020-10-28
Gophish before 0.11.0 allows SSRF attacks.