False Flags During Times of Geopolitical Conflict – The Right Time to Strike

Emilio Iasiello

The global nature of the Internet coupled with the inexpensive nature of conducting activities therein make cyberspace an immediate and attractive medium for states seeking to extend their power and influence. Therefore, it is unsurprising to see how state use of cyberspace has continued to evolve, extending beyond cyber-attacks to include a variety of “soft power” options that states have at their disposal that can support a variety of national objectives.

Cyber activities that have been specifically attributed to a state have included cyber espionage for intelligence/information collection (e.g., China), network reconnaissance to facilitate additional compromise of conduct or for a later attack (e.g., Iran), propaganda and disinformation/influence operations designed to manipulate a target audience’s opinion (e.g., Russia), and destructive attacks intent on punishing or trying to coerce a target (e.g., Ukraine power grid). Many more may have been conducted by state sympathizers and nonstate actors directed by or working on behalf of a state’s interests (e.g., Estonia cyber-attacks, Operation Ababil).

The question of attribution has always remained a murky effort, largely because of the difficulty in proving direct links between the activity and a specific state, but it appears that over the past few years the threshold for that rigor has significantly decreased. Technical analysis linking malware language, command-and-control indicators, domain names, and IP addresses have been used to support such allegations, even though it is well known by state actors that such artifacts are used to analyze these activities and have been used in publicly-accessible published findings and analysis on APT activity. In short, tactics, techniques, and procedures are identified and made widely known.

However, with every attack or campaign uncovered, state attribution has become more assertive, regardless if presented evidence is substantial enough to make such declarations. For example, operating “work” times in geographic regions is sometimes used as “proof” that activity originated from a certain area, suggesting that bad guys only work when they are on the job and wouldn’t work off hours and holidays. In addition, a state’s strategic plans are relied onto to explain the reasons some entities were targeted, especially when discussing motives for cyber espionage operations. While this may certainly be an indicator of a state’s potential interest in a target, it is not the exclusive purview of that state. State strategic plans are typically broad and not unique to any one state. Improving telecommunications and internal infrastructure, improving healthcare, developing manufacturing industries, going “green,” are just some goals that many states in the world have.

Targets of cyber espionage campaigns typically cover a broad range of targets in a variety of industries. However, targets that don’t neatly fit into the “strategic plan” narrative are often unexplored or at least not examined with the same depth of focus. False flag operations have sprung to the forefront when talking about cyber espionage and with good reason. It stands to reason that states want to deceive defenders into thinking that another country may be behind a particular campaign or event. However, even with false flag operations, there is a tendency to continue to confidently assert attribution, a remarkable undertaking given the reputation of some states as using “sophisticated tradecraft” and being very cyber capable. Sloppiness and operator error have been linked to why typically viewed sophisticated actors have been uncovered.

Geopolitical situations are prime catalysts for cyber operations between states allowing governments to either transparently demonstrate their views, or else use proxies to obfuscate their involvement in more aggressive offensive actions. A recent article highlights this point, revealing how geopolitics could inspire cyber-attacks against industrial control systems in some Gulf countries. Indeed, another article highlights how confrontational regional issues spurn such activity. When states are in conflict, hostile cyber activity is typically attributed to a state, their proxies, or their sympathizers. This is why many considered the patriotic hackers during 2007 Estonia and 2008 Georgia cyber-attacks to ostensibly be viewed as extensions of the Russian government, even though Moscow could not be held technically accountable for them.

What is not being more rigorously explored is how often third-party state false flag operations may be used exactly during times of geopolitical tension/conflict against the states involved in that tension/conflict. It would be an opportune time to conduct the activity, especially if tactics, techniques, and procedures associated with one of the aggressor states and their non-state affiliates are employed. At a time when there is an extensive publicly accessible library of advanced persistent threat (APT) campaigns, it seems easy to mimic activities, especially if directed against a known target of the APT group. A third-party state could easily mask intrusion ops or disruptive attacks in this manner, and there is little scholarship discussing this angle.

Initially thought to be extremely difficult, recently there has been more confidence in attributing activity to states, at least well-enough, to call them out by name. However, understanding that hostile cyber activity against states during geopolitical tension/conflict may be a false flag committed by a third state warrants further consideration. That is not to say that the lion’s share of observed/detected activity will be executed by otherwise uninvolved third parties. Likely, not. But how governments may leverage these periods of unrest under the guise of states in conflict to their advantage bears closer investigation, requiring a strategic approach to see a broader, more informed picture.

Who benefits, or cui bono?, is often applied to cyber-attacks. The idea is that based on the target and the attack, anonymity sheds itself and a culpable state will likely be exposed. Where that may have worked once, emergence of false flag operations has shown that such a conclusion can be unreliable and misleading. Complicating matters is a government mimicking the attributed activities of a state involved in tension/conflict with the intent of executing operations against the opposing state.

If we are going to include the “who benefits” calculus into the attribution process, then we must be prepared to take into account many variables, options, and alternatives we hadn’t before, approaching each with the same unbiased analytic rigor. Failing to do so risks misunderstanding events, reaching faulty conclusions, and potentially incorrectly informing leadership courses of action. If not, the cui bono? will end up benefitting most the perpetrator that no one expected or even considered.