False flags are a longstanding military deception strategy, originating back to naval skirmishes where the flag of a ship was concealed or modified to look like someone else. The scenario is as follows: Country X uses tactics and equipment usually employed by Country Y to attack or provoke Country Z, so Country Y gets the blame and Country Z’s attention is diverted from Country X, which allows Country X freedom of maneuver to engage in other time or space. Engaging in combat dressed in a uniform other than your own country’s is a no-no under the Hague Convention, but the concept of false flag has been expanded to the scenario where Country X internally attacks or subdues its own citizens, while acting as another country or group motivated by the notion that a political cause will gain support with such an action.

CIA Proposes False Flag Plan in 1962

Operation Northwoods in 1962 was a plan created by the CIA in which the United States, imitating Cubans, were going to attack American interests in and around Cuba and even in the United States. The goal behind this was to raise popular support nationwide for a military action against Cuba. Wisely, President Kennedy rejected the plan. False flags are a proactive strategy that is more than just propaganda or static displays (although they can be part of the ruse), and will involve some overt act or behavior that causes damage to the enemy.

False Flag Attacks Resurface in Cyber warfare and Information Operations

Until cyber warfare and information operations became a thing, false flags had really fallen off the map, due to sophisticated intelligence technology and human intelligence networks that would make them difficult, if not impossible to pull off. In recent years, false flags have been a choice for many hacking groups – those either associated with a nation-state or otherwise.

A false flag attack in the cyber world is much easier to carry out than in the other domains. It is often hard to attribute attacks to specific nation-states or hacking entities in the first place, but when the attackers uses common techniques, tactics, and procedures of another persistent threat actor in order to confuse the victim, it becomes a messy and volatile problem. Several false flag attacks in the past few years have received public attention. In 2019, the Russian cyber espionage group Turla masqueraded as Iranian state sponsored hackers and infiltrated networks in over thirty countries. Not surprisingly, Turla entered the Iranian group’s network first to steal their tools for use. This case is the most visible of a similar string of false flags dating back several years. How is one caught operating a false flag attack? In Turla’s case, it appears that there were other cases in which Turla used Iranian tools with their own bag of tricks. That and reverse engineering the lack of motivation Iran would have for most of these attacks, led investigators to believe that someone else may have been behind them.

Deception and Diversion Techniques Will Grow

Using false flag cyber attacks as a deception and diversion technique is not going away, given the difficulty in definite attribution. In August, it was reported a Chinese hacking group had also been imitating an Iranian threat actor for two years in targeting Israel. Threat intelligence and analyzing logical motivation will remain key in defeating this very real security problem.


Related News

Joe Jabara, JD, is the Director, of the Hub, For Cyber Education and Awareness, Wichita State University. He also serves as an adjunct faculty at two other universities teaching Intelligence and Cyber Law. Prior to his current job, he served 30 years in the Air Force, Air Force Reserve, and Kansas Air National Guard. His last ten years were spent in command/leadership positions, the bulk of which were at the 184th Intelligence Wing as Vice Commander.