This story is over 5 years old.


How Hackers Plant False Flags to Hide Their Real Identities

Telling who’s behind a cyberattack is tricky.
Image: Levrints Nikoleta/Shutterstock

During the first half of 2015, a mysterious hacking group allegedly started attacking military and government organizations in Peru in what looked like a routine—even run-of-the-mill—espionage campaign.

The group used an old exploit and "clunky" malware, nothing particularly notable. What was unusual about this operation was that the malware was signed with a stolen digital certificate that had already been used by the hackers responsible for disrupting an Iranian nuclear power plant in the famous Stuxnet attack, according to security firm Kaspersky Lab.


All this made very little sense.

The use of the stolen certificate made it look like the hacking group was the same as the Stuxnet attack, or was it just a trick? Security experts often repeat a mantra: "attribution is hard." Finding out who is responsible for a cyberattack is a complicated, often impossible task, and in some cases, hackers make it even harder by leaving misleading clues, like in the case of the Peruvian attacks.

Hackers had apparently planted this clue—this "false flag"—to make it look like they were the same group behind Stuxnet.

When the hackers used the digital certificate, as Kaspersky Lab researchers explained in a paper released last week, it had already been long revoked, meaning it didn't make the malware any more stealthy.

The hackers, whoever they were, had apparently planted this clue—this "false flag"—to make it look like they were the same group behind Stuxnet. The hackers, whom Kaspersky Lab dubbed "TigerMilk," were trying to confuse investigators and security researchers alike.

"This is a good example of throwing a shiny object in another direction and being very good at at least masking where they're coming from," Juan Andres Guerrero-Saade, one of the authors of the paper, told Motherboard in a phone call.

For Guerrero-Saade and his colleague Brian Bartholomew, the case of TigerMilk is one of the most impressive examples of a false flag operation in hacking. And among the many others they detail in their paper, it should serve as a warning for all security researchers and companies who want to point the finger and attribute cyberattacks or espionage operations. Their paper is especially relevant in the wake of the US government publicly accusing Russia of being behind the hack of the Democratic National Committee and other political institutions.


Bartholomew (left) and Guerrero-Saade (right) talk about false flags at the Virus Bulletin conference in Denver, Colorado. (Image: Kaspersky Lab)

The clues and breadcrumbs left behind by hackers often point in a certain direction. But how can anyone really tell who's behind the screen? After all, there's been several cases where different groups used tools and methods from others, and even stole their hacking kits in order to hide their tracks. How can anyone be sure whether those clues aren't left there on purpose as a misdirection, as that Stuxnet stolen digital certificate?

Last year, a previously unheard of group of hackers who called themselves Yemen Cyber Army came out of nowhere to attack several institutions in Saudi Arabia. Despite its name, some researchers were quick to suggest that the group could actually be Iranian, given its use of a the expression "Cutting Sword of Justice," which had previously been used in 2012 in the destructive attack on the oil giant Saudi Aramco.

"Somebody put that there for a reason," Christopher Ahlberg, the founder and CEO of Recorded Future, the company that first spotted that clue, told Motherboard last year.

"As intelligence agencies they are blessed with the ability to see but not to publicly substantiate. The gift to attribute without being believed."

As Bartholomew and Guerrero-Saade point out, however, more recently discovered clues seem to indicate the Yemen Cyber Army, which apparently passed hacked documents to WikiLeaks, might actually just be a front for Sofacy, a hacking group also known as APT28 or Fancy Bear. This group is widely believed to have ties to the Russian government, and is one of the suspects behind the DNC hack.

So is attribution impossible? Depends who you are, as Bartholomew and Guerrero-Saade argued in their paper. If you're just a security company, the most you can probably do is cluster hacking activities and attribute them to the same group. But you can rarely, if ever, be certain who the group really is. If you're an intelligence agency, say the NSA, you have access to a lot more data. In that case, pointing the finger is possible, but saying how they did it isn't.

For Bartholomew and Guerrero-Saade, intelligence agencies are like "gods of the wires" because they have internet cable taps, and can also hack routers and other internet backbone to access crucial data, "in such a way as to enact near perfect recall when an attack is discovered."

"In true Greek irony, the Cassandras of the modern age are hamstrung by their own Apollonian curse: as intelligence agencies they are blessed with the ability to see but not to publicly substantiate," the two wrote. "The gift to attribute without being believed."