The only obvious move to this problem is to try to drive investigators off the trail by chasing targets that aren’t really of interest. But it causes its own problems — increasing the volume of activity greatly increases the chances of you being caught — which puts hackers around the Catch-22 dilemma.
The fingerprints left by the attackers were enough to eventually convince Israeli and American investigators that the Chinese group was responsible, not Iran. The same hacker group has a previous form, having previously used similar deception tactics. In fact, he may have even hacked the Iranian government itself in 2019, adding an extra layer of deception.
This is the first example of Chinese large-scale hacking against Israel, and comes after a a set of billions of dollars worth of Chinese investment into the Israeli technology industry. They were made as part of the Beijing Belt and Road Initiative, an economic strategy designed to do so quickly expanded Chinese influence and come clean across Eurasia to the Atlantic Ocean. The United States has warned against investments based on what would pose a security threat. The Chinese embassy in Washington DC did not immediately respond to a request for comment.
Misconception and misalignment
The UNC215 attack on Israel has not been particularly sophisticated or successful, but it shows how important attribution – and misrepresentation – can be in cyber espionage campaigns. Not only does it represent a potential scapegoat for the attack, but it also provides diplomatic cover for the attackers: When confronted with evidence of espionage, Chinese officials regularly try to undermine such accusations by claiming that it is difficult or even impossible to track down hackers.
And the attempt to misdirect investigators raises an even bigger question: How often do false flag attempts deceive investigators and victims? Not so often, says Hultquist.
“It’s still rare to see this,” he says. “The thing about these fraud attempts is if you look at the incident through a narrow opening, it can be very effective.”
An individual attack can be successfully mistakenly attributed, but during many attacks it becomes increasingly difficult to maintain a charade. This is the case with Chinese hackers targeting Israel during 2019 and 2020.
“But when you start linking it to other incidents, the deception loses on effectiveness,” Hultquist explains. “It’s very difficult to keep cheating in multiple surgeries.”
The most famous attempt mis attribution in cyberspace was a Russian cyber attack against the opening ceremony of the 2018 Winter Olympics in South Korea. Synchronized Olympic destroyer, The Russians have tried to leave clues pointing to North Korean and Chinese hackers – with contradictory evidence seemingly designed to prevent investigators from ever reaching any clear conclusion.
“Olympic Destroyer is an amazing example of fake flags and a sea of attribution,” said Costin Raiu, director of the global research and analysis team at Kaspersky Lab. tweeted in that time.
In the end, researchers and governments definitely shifted the blame for the incident to the Russian government, and last year to the United States. accused six Russian intelligence officers for the attack.
Those North Korean hackers who were originally suspected of being in the Olympic Destroyer hack have themselves dropped out false flags during their operations. But in the end, they were caught and identified by researchers from the private sector and the United States government accused three North Korean hackers earlier this year.
“There’s always been a misconception that attributing is more impossible than it is,” Hultiquist says. “We always thought that false flags would enter the conversation and spoil our whole argument that attribution is possible. But we haven’t arrived yet. These are still noticeable attempts to undermine attribution. We’re still catching this. They have not yet crossed the border. ”