The only obvious counter-move to this problem is to try to put investigators off the trail by attacking targets that are of little interest. But that comes with its own problems – increasing the volume of activity dramatically increases the chances of getting caught – which raises a Catch-22 dilemma for hackers.
The fingerprints left by the attackers were enough to convince Israeli and American investigators that the Chinese group, and not Iran, was responsible. The same hacking group has an earlier form, having previously used similar deceptive tactics. In fact, he may have even hacked into the Iranian government himself in 2019, adding another layer to the deception.
This is the first example of a large-scale Chinese hack against Israel, and comes in the wake of a Chinese multibillion dollar investment package in the Israeli tech industry. They were carried out as part of the Beijing Belt and Road Initiative, an economic strategy aimed at rapidly expand Chinese influence and clearly reach across Eurasia to the Atlantic Ocean. The United States warned vs investments on the grounds that they constitute a security threat. The Chinese Embassy in Washington DC did not immediately respond to a request for comment.
Wrong direction and bad attribution
The UNC215 attack on Israel was not particularly sophisticated or successful, but it shows how important attribution – and misattribution – can be in cyberespionage campaigns. Not only does it provide a potential scapegoat for the attack, but it also provides diplomatic cover for attackers: When faced with evidence of espionage, Chinese officials routinely attempt to deny such accusations by arguing that it is difficult, if not sometimes impossible, to find pirates. .
And the attempt to mislead investigators raises an even bigger question: How often do false flag attempts mislead investigators and victims? Not that often, says Hultquist.
“It’s still quite rare to see that,” he said. “The problem with these deception efforts is that if you look at the incident through a narrow opening, it can be very effective.”
An individual attack can be successfully misattributed, but over the course of many attacks it becomes more and more difficult to maintain the masquerade. This is the case of Chinese hackers targeting Israel in 2019 and 2020.
“But once you start to link it to other incidents, the deception loses its effectiveness,” says Hultquist. “It is very difficult to maintain the deception on several operations. “
The most famous attempt at attribution error in cyberspace was a Russian cyberattack on the opening ceremony of the 2018 Winter Olympics in South Korea. Double Olympic Destroyer, the Russians attempted to leave clues pointing to North Korean and Chinese hackers, with conflicting evidence apparently designed to prevent investigators from ever being able to draw a clear conclusion.
“Olympic Destroyer is a stunning example of false flags and award nightmare,” Costin Raiu, director of the Kaspersky Lab global research and analysis team, tweeted at the time.
In the end, researchers and governments have definitively blamed the Russian government for this incident, and last year the United States. indicted six Russian intelligence officers for the attack.
These North Korean pirates who were originally suspected in the Olympic Destroyer hack have themselves fall false flags during their own operations. But they were also eventually caught and identified by both private sector researchers and the United States government which indicted three North Korean hackers earlier this year.
“There has always been a misconception that attribution is more impossible than it is,” says Hultiquist. “We always thought that false flags would get into the conversation and ruin our whole argument that attribution is possible. But we are not there yet. These are still detectable attempts to disrupt attribution. We always catch this. They haven’t crossed the line yet.