A false flag attack is a technique used to shift the blame or to make attribution for an attack harder to determine. The term is derived from pirate ships that flew flags of different countries as a way to conceal their country of origin.
Within the last few years, this technique has been used more and more by sophisticated threat actors which makes attribution and connecting campaigns to a specific group harder. For example, the cyber attack during the Olympic opening ceremony used false flag techniques to shift the attribution to multiple nations. This presentation, given by Joakim Kennedy and Ryan Robinson from Anomali, will take a look at nation-state actors’ use of false flags and why attribution is difficult. Is this a new trend and what can we learn from it?
A little bit about who we are.
So my name is Joakim Kennedy.
And I'm a senior principal security researcher for Anomali.
And I'm Rand.
And I'm a normal security researcher in Anomali.
So a little bit of this talk.
We wanted to go in and talk a little bit of sort of different approaches that we've seen advanced persistent threat actors use to sort of shift the blames over a little bit from who they are to other entities.
And the motivations that are behind this is it usually comes down to attribution.
This is usually the question at first here-- who's behind the attack?
And this is sort of the thing you usually see most case in the media.
We really want to figure out who was behind it.
The problem is, especially in the private industry, we rarely have the full picture.
And sort of drawing those conclusions are really, really hard.
So how do we then do attribution?
The one way of doing it is to look at all the TTPs used by the threat actor, and sort of group it together, and see this sort of behavior matches with this group.
The other way is to look at the victim-- who's most likely to go after them.
What can you gain from that.
The other is to look at infrastructure, or to using something that's been used in a campaign previously.
And if they're reusing it, it's probably likely the same threat actor.
Other ones is IOCs.
The same case.
Maybe they're reusing the same malware.
And also, in terms of malware and other tools, what else are they using that's sort specific to this threat actor?
So in terms of false flag, the sort of definition of it is to perform a covert operation with intention to deceive or shift sort of the blame over to another entity.
The term comes from actually from pirates.
And pirates would usually use a false flag as a kind of a disguise.
They would actually sail with a different country's flag, and allow them to prevent the sort of their targets from fleeing by give them a false sense of security.
Also, it's sort of preventing them from preparing for battle.
And then when it was too late for their target to escape, or prepare for battle, they will switch over and into sort of the classic pirate flag.
They also used it, sort of blame the attacks on other countries.
So you would sort of ship with a British flag and attack the Spanish.
And here's a historical case of a false flag.
Does anyone know where this one is?
This is the Reichstagsbrand, which sort of from the February 27, 1933.
This was blamed on the communists by the Nazis.
And Hitler used this one to actually get some legislations in.
And actually kind of this is one of the fundamental pieces that gave them the power to take over Germany, and turn it into a totalitarian state.
And the interesting cases we heard earlier today at keynotes that cyber is the new sort of area of warfare.
And in terms of with the in addition to the Geneva Convention, if we consider these kind of cyber attacks as warfare, according to the additions to the Geneva Convention, it is a war crime to aid in a military attack with the deceiving of being either the opposite or a third party in the attack.
I'm not putting this at, you know, that this is a truth [INAUDIBLE].
We're not lawyers.
But it's just an interesting thought to come by as we are sort of approaching the cyberspace to what it was consider military warfare.
So a very common form of false flag, especially for nation state actors, is just to pretend to be a different nation state actor.
So this is true in the case of North Korea's Lazarus script.
So Lazarus Group targeted a number of sort of banks, financial institutions, even casinos.
And the reason why they were targeting these people were sort of to generate a new source of revenue for the regime.
So with their ballistic missile testing and all, they have a lot of sanctions slapped on them by the UN Security Council.
And so their main sort of sources of income were stuff like coal and textiles and sort of foreign workers-- so workers that set the foreign countries to bring revenue in.
But when sanctions got slapped on those, they need to find new ways.
And one of them was to sort of target these places that make a lot of money to steal money for them.
So one of the biggest heists that they tried to do was the they tried to steal approximately 1 billion US dollars from the Central Bank of Bangladesh.
They have money stored with the US Federal Reserve [INAUDIBLE]..
And they tried to do SWIFT transactions to steal this money, and actually trade them to different bank accounts, which they would try to collect in.
So when they looked at malware that was used in this attack on SWIFT systems now, there were some interesting flags that started to show up.
So a lot of these flags pointed to that there was Russian hackers involved in this.
And mainly this is because of sort of three things.
There was Russian strings.
Russian exploits are being used.
And there was sort of a commercial Russian binary protector being used.
So when it comes around to the strings, there was Russian words that were transliterated into the Latin alphabet that were placed in Ascii inside some of the malware they were using.
As you can see, just the strings.
So there [INAUDIBLE].
And so the words are ssylka, ustanalivat, poluchit, pereslat, derzhat, vyhodit, and nachalo.
So if anyone here can speak Russian, hold up a scorecard with how I've done on my Russian pronunciation.
So there was some interesting things in this.
Group AB researchers, a Russian firm, when they decide to look into the malware, they noticed that these words they were using for command control, they were not typical for would be a native Russian speaker.
And so namely this word poluchit there.
This word means to get or to receive in Russian.
But it actually contradicted the action that was happening, which they were [INAUDIBLE] stuff.
Other flags was so executables were packed of binary package protectors, namely the Enigma Protector, commercial Russian one.
And exploits for Adobe Flash and Microsoft Silverlight that were created by Russian hackers were being used.
So how did they actually find that there was North Korea, and not Russian hackers?
Well, that module in the previous slide, [INAUDIBLE],, this malware was installed on target machines within machines in the target organization.
Its job was to proxy traffic from the command control server to the victims on the two machines on the local area network of the target.
And so this connected to a free layer command control architecture.
And the C2s consisted of compromised machines.
So what they noticed was on the end layer that the actors would connect to, there was North Korean IP addresses connecting to it.
And both of these IP addresses were in the same [INAUDIBLE] as ones used by North Korean hackers in the Dark Seal attacks.
And also, one of the IP addresses was linked to the Potonggang district, where the national defense commission in North Korea is located.
So, go figure.
So it's not just North Korea.
So in case of Equation Group, or the NSA, one of their malware is called Electric Slide.
When it was dumped by the shadow brokers, you could actually see that there was a flag in it to pretend to be a Chinese browser through the accept language header field, where they put it into Mandarin Chinese.
So sort of in addition to blaming it directly on a country, the other way of sort of setting up a false flag is to sort of create your own scapegoat.
This is Guccifer, who kind of now is a very, very famous as a, I guess, starting of this kind of a scapegoat.
The person behind it, Marcel Lazar Lehel, he first appeared in 2013.
And he got famous for a lot of sort of hacking into high-level government officials.
And what he targeted was their private accounts and social media accounts.
He didn't use very technical, sort of, it wasn't very technical.
He essentially just used public information to guess their password recovery for these accounts, and managed to get access that way.
Later on comes Guccifer 2.0, which we sort of now all know was behind-- sort of a front for the GRU.
They claimed in June of 2016 to be behind the compromise of the DNC, and started to leak information from that compromise.
This actor claimed to be Romanian, and did not speak or understand a word of Russian.
The interesting part was in the communication with journalists, the source IP address for the emails came from a Russian VPN.
The Russian-based VPN-- elite VPN-- essentially the whole website is in Russian.
To sign up for an account you have to understand Russian.
There are parts that are translated to English, but the sign-up process is straight in Russian, with no translations.
The other interesting part, the IP address was associated with a elite VPN.
It was part of their ASN number.
But when you logged in and selected which nodes you wanted to use, it wasn't available.
So the IP address, the hosts that were used by this group or this actor was not available to all customers.
So it was either them running on the side, having a separate VPN for criminal to pay extra, or someone else had the capability of running it within their infrastructure.
In terms of for the Romanian part, in an interview with the threat actor by a journalist for Vice Motherboard, the journalist used Google translate to sort sort of ask a couple of questions in Russia-- or in Romanian.
And the response that he got back from, it was reported by his readers later on that the language and the grammar was very, very clunky, and didn't really appear to be a Romanian, former Romanian native speaker.
One sort of word that stuck out was the word for watermark in Romanian.
This is the word that he used, which is technically the correct word.
And that's what you get when you're using Google Translate.
But according to all the readers and most people that have sort of reported back on it, watermark, that word is not used in Romanian.
Most common is to use the actual English word for watermark.
Other cases where the grammar was different, sort of highlighted in here.
So clearly the actor that claims to be Romanian was not Romanian.
Other ones we have is Cyber Berkut.
This was a pro-Russian cyber hactivist group.
And they've mainly focused on DDoS and leaks.
Became sort of to the world, and started doing attacks against some native websites in 2014.
And later in May they compromised the Ukrainian Central Election Commission.
And right before the polls were closing for their general election, they posted on their website that the Right Sector leader, Dmytro Yarosh, had won the election.
Was it 10 minutes before the polls closed.
There wasn't a way for them to actually change the elections or anything like that, because the actual voting was done on paper.
And it was hand counted.
So, no matter what.
But it still caused sort of a disruption within the Ukraine during the election.
When the CERT in the Ukraine investigated the breach, they discovered that the Sednit, which is another name for APT28 malware, which sort of was on their system.
So they've sort of pinned this breach on that threat.
A very active group.
Other targets by Cyber Berkut is in the American journalist David Satter.
He's a writes a lot of articles against-- sort of against Russian politics, and things like that.
He'd been basically banned from entering Russia.
And he was compromised.
And a couple of e-mails from his private account was published on Cyber Berkut's blog.
The way they leaked it was actually to selectively modify the e-mails.
They took extra care of changing it.
So it portrayed them as that he was behind a conspiracy against Russia.
So they changed the language slightly, just to, in a way of framing that he was trying to write a couple of articles that basically is creating a conspiracy against Russia, to sort of discredit this guy.
The phishing campaign they used to actually get compromise his credentials has been linked to the same phishing campaign that was used in the US election in 2016.
This is the phishing domain that was sent to David.
And this is the one that was reported as part of the DNC election.
And it sort of follows the same sort of TTP that's being used by APT28.
So more hacktivist groups [INAUDIBLE] APT28 include the CyberCaliphate.
So these guys appeared in January 2015.
And they claim to be affiliated with the Islamic State.
So notable hacks that they were involved in were the United States Central Command Twitter on TV5Monde.
So in the case of the United States Central Command at CENTCOM Twitter, the managed to hack in, and they started posting sort of pro-Islamic State pictures, and saying that the Pentagon networks had been hacked.
And sort of to back this up, they'd also put on PS BIN dumps of information that had been supposedly stolen from the Pentagon.
So for TV5Monde, what they meant to do was they managed to take down about 12 channels for about half a day, where they were not able to broadcast.
Also, their website was defaced, and social video was taken over.
So when French authorities had investigated the TV5 hack, along with FireEye, they linked out to APT28.
Another group that appeared around the some time was the Yemen Cyber Army.
They pretended to be a Houthi rebel aligned group.
So they'd done a few hacks, many on the Al-Hayat news agency, which is a London-based Arab news agency, usually quite sort of liberal leaning politics on the Saudi Ministry of Foreign Affairs.
So naturally, or initially, it was attributed to Iran, since they have close ties to the Houthis, and supply them and all.
But when Kaspersky researchers looked in it, they found that it was probably more likely APT28 had done it.
And so reasons that they'd done that was parallel targeting.
So around that time in 2015, the Russians were accusing Saudi Arabia of depressing oil prices in order to tank the Russian economy, that's highly reliant on selling energy resources to the West.
And also at that same time, Russia had targeted the Saudi embassy in Kiev.
So there was the same motive there to attack them for this group.
Infrastructure that was being used by the Yemen Cyber Army was also in the same [INAUDIBLE] that APT28 infrastructure was on.
And then finally, Kaspersky think, because they were using Yandex registrars-- so Yandex e-mails to registered domains-- that was APT28, because that's a common tactic that they use.
I'm not too certain myself about the Yandex registrar, because even I register emails to the Yandex.
It's very easy to do.
You don't need a mobile phone or anything.
You can just fill out a capture in Cyrillic.
And then you can have an account phone.
And so it's not just APT28 that has made sort of these hacktivist groups that cover up their attacks.
In March 20th, 2013, there was tens of thousands of computers in South Korea have been hit with destructive malware.
And also, popular news and media sites had been defaced.
These attacks were claimed by two previously on the one hacktivist groups, have been the NewRomanic Cyber Army Team, and the WHOIS team.
And when analysis beyond it, they finally attributed North Korea.
So in the case of the NewRomanic Cyber Army Team, they sort of pretended to be this agent Roman-themed group, the activists.
And this is mainly because of sort of terminology that they use, and also the name.
They mainly used two words, and [INAUDIBLE] not being principes, which is sort of Latin [INAUDIBLE] word for veterans or leading citizens.
Hastati-- the spearman.
So what I find quite interesting is a lot of researchers picked up on the pro-Roman themes.
But I vehemently doubt that in North Korea their libraries are stuffed with books full of Roman history.
So where I actually think that they just pulled this sort of hacktivist group out from was from I think they were actually fans of the video game Rome: Total War.
Because the names of hastadi and principes, they're two of the earliest units that you can get in the game playing as the Romans.
So it is quite interesting to see that even in sort of secluded countries, North Korea, that people sort of have access to Western games, and they apparently play Western games.
So for the other group, the WHOIS Team, they defaced the website of LGU+, which is the telecommunications wing of the LG Company.
And they defaced the Nocut News website.
So the wipers that they deployed on the target systems, they found that it was pretty much the same wiper that had been used by the NewRomanic Cyber Army Team, just with a few different functions and strengths put in it [INAUDIBLE].
One other way of sort of putting blame on another entity is by using code that's similar to previous sort of attacks.
One sort of infamous one that's pretty recent is the Olympic Destroyer.
It's still not certain of who was behind it.
The Olympic Destroyer, it actually consisted of three different parts.
So there was a worm that traversed the network, and it dropped a system credential stealer, a browser credential stealer, and a wiper.
The way it ran, sort of create, grab all the credentials on the machine, patched itself the binary, and sent off so it can use those credentials to migrate further down in the network.
And then the timer was set off for the wiper to wipe the machine.
Essentially it's set up to destroy as much as possible.
And when you looked at the different samples, there was some code similar that was sort of found within them.
One of them is shown on the screen.
This had actually some overlap with APT10.
The function that was picked up is part of generating the AES key.
And for sort of the knowledge at this point is this piece of code is unique to APT10.
That snippet of code hasn't been found in any other samples that hasn't been related to APT10 so far in any sort of datasets that's been looked into.
The other part is McAfee named the one of the part of the samples to for brave prints.
But the other one, BBus, which is APT12, is another Chinese threat group.
And it was some small code reused found in that, the overlap between those two samples.
The system stealer actually had a similar code to one of the modules that was used by APT3.
It's very simple.
And it's basically taken directly from Mimikatz.
So this is less controversial.
It's more common, in a sense given that Mimikatz is an open source project, and anyone can take it and incorporate and tweak it for himself.
On top of that, Olympic Destroyer also used the similar techniques that Bad Rabbit and NotPetya used, which kind of is pushing sort of to shift the blame over to Russia.
It's using the same technique for deleting the logs and backups as part of the wiper module.
Also, it was picked up, the file name also matched the sort of similar file name that was used in the Bangladesh SWIFT attack that was done by the Lazarus group, linking it to North Korea.
The module itself is very similar to other wipers used by Lazarus.
And it also used to submit same technique that a lot of the North Korean malware does, where it would encrypt its actual payload.
And the decryption key is passed in as a command line argument.
Different here was because it was traversing the network, that key was hard coded in it, in the malware.
So it was kind of easy to find.
But otherwise, it was similar.
Very international malware.
So for the Vault 7-- We'll take questions after.
For the Vault 7 leaked onto Wikileaks, it a [INAUDIBLE] of a team called the Umbrage team within the CIA.
And so the Umbrage team's task was to take techniques and code from sort of known or public malware, incorporate them into the CIA's own arsenal.
So they've done this mainly for two reasons-- one to reduce costs of developing malware, but also to sort of place false flags in the other direction so that it doesn't look like the CIA.
So notable examples of that is they took the persistence method from the HiKit rootkit, the disk wiping module from Shamoon, to the sandboxing techniques from both Upclicker, and then Nuclear Exploit Pack.
And then they also took a webcam capture code from the DarkComet RAT.
In addition to code similarity, other places where you can find sort of similarity is using looking at the infrastructure.
When you're compiling code with Microsoft's Visual Studio, it inserts a header that's, let's call it a Rich header.
This header is undocumented.
And the reason why it's called a Rich header is because it appends.
It has the sort of keyword "Rich" at the end of the header.
It sits right after the DOS stub.
And it's put there by the linker.
And it sort of functions as a fingerprint of the infrastructure that was used to build this binary.
It will include a number of source codes, number of source files, and break it apart based on the language, and also give you the build version of the Visual Studio that was used.
Here's an example of sort of reverse-engineered value, since these are not actually documented by Microsoft.
But in this example, it will tell you that the source code was compiled.
And it was 10 source files that was written in C++, and one assembly code.
Going back to Olympic Destroyer, Kaspersky noticed that the Rich header that the Olympic Destroyer had matched exactly with a-- matched 100% with a sample from the malware Blue North [INAUDIBLE],, which is a Lazarus malware.
The only way this could happened is the either it was copied and just patched into the binary, or they used exactly the same version of the Visual Studio.
And they had exactly the same sort of code layout, with the same amount of source files, which is highly unlikely.
So an interesting example is in an APT28 phishing campaign, this email was sent by APT28 to a Polish government member, and pretended to be from a political observer within the United Nations.
The email was sent from an IP address that was owned by the VPN service IPVarnish.
So the link that was in the email, Eurasia Global News, that downloaded the Sednit backdoor and APT28 back door.
At the same time, there was also WorldMilitaryNews.org on CMIP, which also delivered Sednit.
But what's very interesting is almost exactly a year later, pointing towards this IP address was a domain called oscpd.com.
And so this domain was actually being used by APT33 as a NanoCore C2.
APT33 is an Iranian hacking group.
So we have a very odd situation where there is one IP address being possibly used by two different nation state hacking groups.
So information on it.
It pointed towards it in 2016.
And the last update to it was with its name servers.
Its two name servers used to be on same OVH IP.
But the very, very last update before it was [INAUDIBLE] was pointed towards the certain host control [INAUDIBLE]..
So we don't actually know whether this was done as a false flag, if it was pointing towards there to sort of put the blame on someone else, or if there was actually collaboration involved.
But the information's out there anyway as to what exactly this was.
Sort of the takeaway is you want to get to take home from this is so I have a skeptical view, too, when someone is trying to put the attribution.
And when you're trying to do this, try not to confirm a confirmation bias of this is probably this country or threat actor, because that's the most likely one.
Also remember, attribution is really, really hard.
I say that.
I really mean it.
Because you never have the full picture.
So, when you're in there looking for it, watch out.
There's very easy to put in some forgeable artifacts into these samples.
Also, sort of open to other stories of who might be behind it.
So keep in mind who else might be targeting this and why they might be doing it.
And then evaluate the findings.
And that will conclude.
And I think we have a question over there.
[APPLAUSE] Yeah I'm just curious.
So code reuse is for expediency is [INAUDIBLE] right [INAUDIBLE].
And if it's working, why not use it?
It's keep working.
Do you have a sense of-- I've done that myself [INAUDIBLE] exploit code that's out there that mostly works.
Somebody else has done 99% of the work.
I changed a couple lines of code.
[INAUDIBLE] So do you have a sense of how often code reuse from different, potentially different organizations is actually just reduced to the purpose of expedient versus trying to create a false flag?
Do you create a new-- Have you ever seen it where it's like, oh, this is definitely not code reusable flag.
I don't know how often.
I personally haven't looked into, so I wouldn't be able to give it.
But that's kind of why it's never really a black and white answer to that.
You have to evaluate.
And it kind of comes down with attribution in general, just because it is snippet of code, and this has been previously.
You have to really take a look at it, and actually see, does it actually fit.
I think it's more of an art to it than a science, unfortunately.
Because it is easy to forge.
You know, you can never be 100% certain.
Like I said, with the Umbrage team and CIA, there still are two main reasons to it.
There's one to reduce costs.
One's passing for false flags.
What ratio they're in, hard to tell.
When you're talking about the Rich-- The Rich header?
The Rich header.
So with digital, post video, and I'm pretty sure a lot of other [INAUDIBLE] programs or cloning programs, do you see, or do you foresee within your practice any change or variation based upon what OS because of reporting or anything like that?
Like so VS code on my Linux box versus VS code on a standard-- So it's for a Visual Studio, which wouldn't run on Linux.
Are you sure?
Or is it just the VS code the editor?
[INAUDIBLE] The difference with Visual Studio [INAUDIBLE] compiles in the [INAUDIBLE] as well.
So [INAUDIBLE] OS.
It puts a lot.
And it, I mean, it's an undocumented [INAUDIBLE]..
[INAUDIBLE] But you can go and remove it.
I think the way Kaspersky found another sample that was compiled pretty late afterwards.
It seems like the attack didn't go as planned.
So the threat actor went back, modified the code, and basically pushed it out and forgot to change the Rich header.
So they got another one with actually the original header.
It's kind of how they linked it all together [INAUDIBLE]..
I got a question nevertheless.
So what he said, that I think it's expected that [INAUDIBLE] give advices.
But I think there's more of a recommendation for [INAUDIBLE]..
But what do you think of the knowledge of Volkswagen, and OIs of that, or OI to make have a confirmation bias for private sector?
For example, in my mind, maybe this is my opinion that nation state tend to do more [INAUDIBLE] crime groups.
Is that a true thing, or do you think that it's like half and half?
And also the [INAUDIBLE].
So you're saying that there is another group that we didn't bring, that we haven't actually brought up as an example, was the Neutron team, which is it's not been linked to a APT group, was Wild Neutron I think is what they were called.
And they seem to be more like a group for hire.
But they're pretty big at the false flagging.
It takes some skill to do it.
And sort of you have to put the effort in to do it.
And the one that really have something behind it is usually a nation state, because I think that they are the one that will be more inclined to do it, because you kind of want to cover up who's behind it, where a financial motivated threat actor may not care so much of to know who's behind it.
They're just after what they're after.
Yeah, because I work for a private sector.
So for example, the Samsung group, right?
Because they [INAUDIBLE] Volkswagen.
So they-- it's us.
[INTERPOSING VOICES] I think you brought up an interesting point about a confirmation bias.
I think we're out of time, and I think they want us to wrap up.
So if there's any more questions, find us outside, and we can have a chat there.