Blog

The only obvious answer to this problem is to throw investigators off the trail by pursuing goals that are not really of interest. But this brings up its own problems: increasing the volume of activity greatly increases the chances of being caught.

The fingerprints left by the attackers were enough to ultimately convince Israeli and American investigators of the culpability of the Chinese group, not Iran. The same hacker group has used similar deception tactics in the past. In fact, he could even hack into the Iranian government itself in 2019, adding an extra layer to the deception.

This is the first example of a large-scale Chinese hack against Israel, following a multitude of multibillion-dollar Chinese investments in the Israeli tech industry. They were created as part of the Beijing Belt and Road Initiative, an economic strategy designed to rapidly expand China’s influence across Eurasia to the Atlantic Ocean. The United States has warned against investment on the grounds that it poses a security threat.

Misdirection and misattribution

The UNC215 hoax against Israel has not been particularly sophisticated or successful, but it shows how important attribution – and misattribution – can be in cyber espionage campaigns. This is not only a potential scapegoat for an attack, but also a diplomatic cover for attackers: Faced with evidence of espionage, Chinese officials regularly state that hackers are difficult or even impossible to track down. When we were approached for comment, a representative from the Chinese Embassy in Washington DC said the country “strongly opposes and fights against all forms of cyber attacks.”

And the attempt to mislead investigators raises an even bigger question: How often do false flag attempts mislead investigators and victims? “Not that often,” says Haltqvist.

“The point of these deception attempts is that if you look at an incident through a narrow opening, it can be very effective,” he says. But even if an individual attack is successfully attributed to misattribution, an individual attack can be attributed successfully, but over the course of many attacks, it becomes more and more difficult to maintain the charade. This is the case with Chinese hackers targeting Israel during 2019 and 2020.

“Once you start linking this to other incidents, the deception loses its effectiveness,” explains Haltqvist. “It is very difficult to keep cheating on multiple transactions.”

The most famous misattribution attempt in cyberspace was the Russian cyber attack on the opening ceremony of the 2018 Winter Olympics in South Korea, dubbed the Olympic Destroyer. The Russians attempted to leave evidence pointing to North Korean and Chinese hackers, with conflicting evidence that appeared to be designed to prevent investigators from ever reaching any definitive conclusion.

“Olympic Destroyer is a great example of false flags and attribution nightmares,” said Costin Raiu, director of global research and analysis at Kaspersky Lab. tweeted at that time.

In the end, researchers and governments ultimately blamed the incident on the Russian government, and last year the United States indicted six Russian intelligence officers for the attack.

Those North Korean hackers who were initially suspected of breaking into the Olympic Destroyer dropped fake flags themselves during their operations. But they were ultimately caught and identified by both private sector researchers and the US government, which indicted three North Korean hackers earlier this year.

“There has always been a misconception that attribution is no longer possible than it really is,” Haltqvist says. “We always thought that false flags would enter the conversation and destroy our whole argument that attribution is possible. But we haven’t reached the goal yet. These are still notable attempts to disrupt attribution. We’re still catching it. They haven’t crossed the line yet. “