False flag operations have long existed in the physical world, a tactic used to make an operation appear to have been planned and executed by someone other than the real perpetrator. For example, Operation Northwoods was a plan concocted by the US Central Intelligence Agency (and later vetoed by President Kennedy) to provoke an invasion of Cuba through multiple false flags of supposed examples of Cuban aggression. Of course false flags as a tactic isn’t limited to the physical world – false flags similarly exist with cyber intrusions. But why would an attacker bother to create a false flag within a cyber intrusion in the first instance?

Digging a little deeper into the concept of a false flag operation shows that the intent of the actor behind the operation is to do one of two things:

  1. To falsely implicate an innocent third party as the deliberate goal of the operation.
  2. To implicate the third party in an effort to obscure the true perpetrator of the action.

The difference – although subtle – is profound. The success criteria in the two different cases is fundamentally different; in one you let a third party take the blame, whereas in the other you hide your own actions.

If an attacker deliberately wishes to falsely attribute the blame to a third party, then this implies a level of malice that is not typically featured within the analysis of cyber intrusions. It also implies that the true perpetrator of the intrusion is fully aware of the impact that the attribution will have on the victim from a successful false attribution.

If the false flag is used to hide the true identity of the hacker by attributing the attack to another party, then this implies that the true perpetrator of the attack was aware that the intrusion would be discovered at some point. While the effects of a cyber attack are obvious (particularly in the case of an intrusion that causes physical damage), detection of an intrusion is not always 100% assumed. In the case of a stealth cyber espionage campaign, the presence of false flags implies a further level of operational sophistication above and beyond the core technical skills displayed by the attacker.

The conclusion of this short examination of false flags is that their use within a cyber context should be treated differently from their use within a physical context. Furthermore the assessed presence within a cyber intrusion should be viewed as an additional indicator of both malice and sophistication.