Digital False Flag Operations: A How-To Guide
In today’s digital age, the threat of cyber attacks is a constant concern for organizations and individuals alike. One tactic that has gained attention in recent years is the use of false flag operations. But what exactly is a false flag operation and how is it being utilized in the realm of cyber security?
This post goes into possible methods and techniques of falsifying the source of malware and intrusions with the intent of shedding some light on how threat analysts might be deceived.
This post covers:
- Deceiving using known techniques and exploitation tools
- Adding false flags within malware using region-specific exclusions
- Adding language-specific code comments in malware
- Re-using leaked or open-source code from known threat actors
- Claiming uncovered operations under false identities
Deceiving using known techniques and exploitation tools
Threat attributors, the individuals tasked with tracking, identifying, and accrediting perpetrators of cyberattacks, use threat indicators to track and identify adversaries. A popular source of these indicators (techniques and software) is gathered and published here by the MITRE corporation.
It is a very useful and respected database, currently containing the techniques and software used by 135 identified threat actors. However, this database is useful for threat actors themselves as well.
They can choose to purposefully run attacks on and within networks to cater to the techniques used by different malicious groups. This would let security analysts down the wrong path and create a digital smokescreen.
An example:
First, as a threat actor, you need to find a known group that has the potential to target the same victim as you do. This can be a company within the financial sector, vital infrastructure in a different country, your local bakery, you name it.
For this experiment, we’ll go after an imaginary financial institution in Europe. Now, we go through the list of known threat actors with the same target group. A quick Google search results in the following of possible groups: FIN7, Monkey Taker, MetaStrike, Lazarus, Carbanak.
Let’s make the FIN7 group take the blame for our operation! MITRE shows us a list of known exploitation techniques used: https://attack.mitre.org/groups/G0046/.
A few specific actions stand out:
- FIN7 makes use of the MEGA file-sharing site for data exfiltration
- FIN7 has created a scheduled task named “AdobeFlashSync” to establish persistence.
- FIN7 has exploited ZeroLogon (CVE-2020–1472) against vulnerable domain controllers.
It is reasonable to assume that a security mature company has detection rules set up for this specific behaviour. It can be used to your advantage as it increases the possibility of your false flags being found. Using similar file names and file-sharing sites for data exfiltration might help get this Russian threat group get blamed for your operation.
Adding false flags within malware using region-specific exclusions
On Friday, July 2nd, 2021 the threat group REvil commits a worldwide ransomware attack exploiting Kaseya VSA software to deliver a malicious payload. The ransomware would check for certain keyboard languages to be installed. In specific, keyboards using the Cyrillic script. If this was configured, the ransomware would not further infect the system. REvil used this as a built-in failsafe designed to cover the backsides of the threat actor.
Imagine how implementing such a feature can be used to create a false flag. First check for specific regions, languages, and keyboards to be installed on systems from a country you want to take the blame for your actions and exclude your malware for these machines. This piece of code doesn’t even have to be operational as long as it exists in payload used in the operation.
Adding language-specific code comments in malware
Malicious actors often make use of scripting languages for staging malware. Commonly used ones are PowerShell, Bash, and Python. The following image shows a script used by threat actors to install a cryptojacker on a target. As you can see, it uses the English language for function names and code comments.
Purposefully translating function names and comments in malicious scripts to, for example, the Cyrillic script or Mandarin language could be used to side-track the security analysts working on attributing the malware to a specific actor.
Re-using leaked or open-source code from known threat actors
A lot of hacking frameworks and exploit kits get leaked to the internet. Using MITRE, we can trace back what kind of exploit kits are used by specific threat actors. For example, FIN7 is known to use the following software: AdFind, BOOSTWRITE, Carbanak, Cobalt Strike, CrackMapExec, GRIFFON, HALFBAKED, JSS Loader, Lizar, Mimikatz, Pillowmint, POWERSOURCE, PowerSploit, RDFSNIFFER, REvil, SQLRat, TEXTMATE
From a lot of these tools, source code is available. Re-using it in your attack would further enhance your digital smokescreen. Also, exploit kits may have been leaked, like the backdoor used by FIN7 for their attacks. Re-using or dropping such payloads in target networks would certainly misguide security analysts.
Claiming uncovered operations under false identities
As a last resort a threat actor can make use of tools outside the scope of the original operation. Let’s say you successfully infiltrated a target and they later find out that a breach has taken place. Now you could use false social media accounts to claim the attack or sell stolen information under fake identity linked to the groups/individuals you want to take blame.
Who would perform these operations?
It’s important to note that the typical threat actor would not employ false flags to obscure their attacks as doing so would increase the likelihood of detection. Skilled and sophisticated malicious actors would also be careful not to make their false flags too conspicuous, as this would raise suspicion and reveal to threat analysts that they are being misled. False flag cyber operations are primarily used for the purpose of creating confusion and spreading disinformation, which may be employed by state actors for strategic gain. It’s important not to be naive about the potential use of such tactics.
The purpose of this post is not to instruct individuals with nefarious intentions on how to conceal their actions, as that would only complicate my own efforts. These techniques are well-known and used in the wild. My intention is to emphasize the importance of a thorough examination during the triage process, as things may not always be as they initially appear.
Often they will, but examining high-value targets may require a more thorough look. Wrongly attributing cyber attacks can have real-world consequences and be used as a tool for misinformation. Therefore, it is crucial to ensure that our findings are correctly attributed.
Thank you for reading & stay vigilant!