The other day I watched a World War II documentary on internet TV. The story was about a British ship attempting to get past Nazi defenses by altering its deck profile and flying the Reichkriegsflagge or ensign of the Kriegsmarine – the German navy. As part of the rules of war, they had to switch to their own flag before engaging the enemy. That flying of the Reichkriegsflagge was an example of a false flag.
In recent months the term false flag has been used to describe cyber attacks perpetrated by an adversary but designed to look as though they’d been performed by another organization. This is often done by using methods or tools known to be used by the group being “framed.” The goal can be to encourage retaliation or merely to redirect blame.
In any case, the goal of a false flag attack is deception. One party wants to deceive another into believing that a third party is responsible for some action (or that the action was performed by the target itself.) The Wikipedia article on “False flag” lists multiple examples of its use in warfare.
We hear it most often in the news when a cyber attack is described as a false flag. The context is usually that an individual or group from organization A seems to have attacked organization B, but there is often a caveat that the attack may be a false flag. In other words, it may have been performed by organization C. The “organizations” in this case could be governments, companies, or even individuals.
In the case of a cyber attack, it may be difficult to discern whether or not a particular attack was indeed a false flag. If an attacker uses tools and techniques she copied from an adversary, her attacks may thus carry that adversary’s signature – they may look as though they came from adversary instead of from her. This may have the effect of misleading militaries or law enforcement, or it may be solely to mislead public opinion. Those goals have been used in physical warfare in the past, and there is no reason to believe they are not being used in cyberspace today.
There is a better chance of identifying the perpetrator when investigating internal security incidents because digital forensic analysis of the source system will often yield useful evidence. The basic steps to collect and analyze digital forensic information using Autopsy are validated through the CyberSec First Responder (CFR) certification, which is an ANSI-accredited/DoD approved IT security certification from Logical Operations.
As a critical analysis of the news, and as those who look at attacks on our own networks, we must not be hasty in assigning blame. False flag attacks are one of many reasons cyber security professionals argue against pursuing a suspected intruder: the pursued may not be the actual perpetrator of the attack. (We talk about that and other reasons in Learning Tree’s Introduction to Cyber Security.) A well-executed false flag attack may be very difficult to attribute correctly, so that task is best left to those who specialize in attribution.
To your safe computing,