back to article False-flag cyberattacks a red line for nation-states, says Mandiant boss

False-flag cyberattacks represent a red line that even nation states like Russia and China don't want to cross, according to Mandiant CEO Kevin Mandia. "It's one of the last rules of the playground that a modern nation may not want to break because they don't want everyone doing false flags," he said, speaking on a panel this …

  1. The Man Who Fell To Earth Silver badge
    FAIL

    What's he smoking?

    Seriously? There's no way that cyberattacks are free of false flags. Nada.

    1. Ordinary Donkey

      Re: What's he smoking?

      Mandy Rice-Davies applies here.

      The guy who tells people who did cyberattacks wants people to believe there are no false flags because otherwise his job gets much harder, not to mention what it does to his credibility.

      1. This post has been deleted by its author

    2. Alan Brown Silver badge

      Re: What's he smoking?

      Govermental flase flag attacks may be rare - criminal gang ones are routine

      It's all a matter of semantics

      1. johnfbw

        Re: What's he smoking?

        Govermental flase flag attacks may be rare - government supported criminal gang ones are routine

        It's all a matter of semantics

        FTFY

        1. amanfromMars 1 Silver badge

          Re: What's he smoking?

          Any advance on .... governmental false flag attacks may be rare - government supported criminal gang ones are routine?

          A logical progression on the dark side of the semantic equation would be master criminal gang ones able to hold governments to ransom being routine in order that politicians can continue to function and milk funding streams for all of their crazy ideas for a more absolute command and control of the future.

          It’s what governments are crudely designed to do and something which they are all too oft apt to adeptly do incredibly badly.

      2. Spanners Silver badge
        Big Brother

        Re: What's he smoking?

        Some of the criminal gangs are actually part of governments. A lot of the worst around here have 3 capital letters as their names.

  2. Version 1.0 Silver badge
    Unhappy

    False-flags are a "feature"

    You have to think about the environment creating the cyberattacks.

    It's not that different to our normal efficient programming environments - the most important thing for the cyber-warrior programmers is to create an attack that works and does the job. Once it's fully functional you start to add the cyber-attack environment, the next step is to make it look like it wasn't built and designed by a known source to keep the writers relatively safe. There has been quite a bit of evidence over the years that this is done by changing the language inside the attack module to try and false-flag another country or including some code from another attack, modified to work around the AV defenses.

    Cyberattacks suck, but they are normal these days.

    1. Blazde

      Re: False-flags are a "feature"

      That might be typical but it's not a given. The environment is different in that there are less laws to adhere to so for example reverse engineering and re-using a peer's software is fine. For nation states or particularly well motivated political groups in some cases the most important thing may well be to provoke misattribution rather than make an attack successful. Some of the best known historic 'kinetic' false flag operations weren't or were never intended to be successful attacks per se.

      But you have a point, requesting it as a half-hearted feature late in the development cycle is going to be the cheaper and apparently more common scenario, for those who don't have the resources and foresight to develop a convincing false flag capability ahead of time. If you do you'll need a separate development effort for each entity you want the capability to impersonate. They'll need maintenance to stay current. And they'll be less effective the more they're used, especially if used carelessly enough to land on Kevin Mandia's desk. I suspect those factors have more to do the lack of evidence than any desire to create an international norm against false flag use.

    2. Clausewitz4.0
      Devil

      Re: False-flags are a "feature"

      Speaking the head of the agency who has a full framework to conceal their cyber arsenal as coming from another country.

      Funny.

  3. OhForF'
    Black Helicopters

    100% confidence

    <q>"When you get a White House podium statement that X did Y, like we did with with everything from Sony Pictures to NotPetya, that's 100 percent" confidence in the attribution, Joyce said. </q>

    I've seen too many examples of the white house claiming something that did turn out to be objectively false for my confidence in their statements to go anywhere near that level. I have about the same confidence in white house podium statements as i have in politicians giving a truthful well informed answer to any discerning question (usually closer to 0 than 100%).

    When deciding to put out a statement it seems to be more important that it fits the agenda than having confidence in what they say.

    If it becomes necessary they'll find a couple of informants providing 100% trusthworthy information.

    Who could have thought they tell you what you want to hear if you pay them for it?

    1. DJO Silver badge

      Re: 100% confidence

      ...that's 100 percent" confidence in the attribution...

      He missed out the next bit: "unless more information becomes available". And there's always more information.

  4. DS999 Silver badge

    Some people believe false flags are easy to do

    Trump was dumb enough to think that if the US attacked Mexican drug labs with missiles launched from US soil, that if we didn't admit it was us they not only wouldn't be able to prove it was us but they wouldn't even be able to tell.

    If the man formerly in charge of the world's largest military was that dim, it is easy to imagine someone somewhere thinking they'd be able to do a false flag but not doing it well enough to truly hide the origins. Thus the attributions we've seen for some cyberattacks where it is attributed to one country but it is noted they tried to make it look like it came from another.

  5. Falmari Silver badge
    Facepalm

    I don't know!

    "People worry about false flags," NSA director of cybersecurity Rob Joyce said, adding that "I don't know of a big one" that has been successful."

    Well he would say that wouldn't he.

    A False-flag cyberattack wouldn't be successful if he know about it. Unless it was performed by the NSA and if that were the case he could not admit to it, for it to remain successful. ;)

  6. Mostly Irrelevant

    If a false flag attack is truly successful, you don't know it existed. So how is he so certain that large ones have never succeeded?

    1. Clausewitz4.0
      Devil

      He cannot tell. Just like direct microwave attack NSA/FBI is renting/using with foreign partners in Brazil and other places.

  7. Kevin McMurtrie Silver badge
    Holmes

    How false are they?

    OK countries, raise your hand if you have enforced computer security regulations. Anyone? Anyone? No, not really?

    If country X uses servers in country Y to hack country Z, don't you think a bit of the blame also belongs to country Y used for the attack. If you manage a server you know that there are enormous numbers of networks having been havens for hackers, botnets, and stolen data trading for 10+ years. They still have network registries, solid peering, and all the usual business bits. They need to seriously piss off their own government to get noticed.

  8. amanfromMars 1 Silver badge

    When are attacks not assaults? Whenever heists hoisting one free from the crazy play fray

    It’s the no flag virtual cyber heist with or against future proACTivated assets you have to successfully micromacromanage from an impregnably safe and secure vast remote open space with a healthy fusion and myriad collusions of freelancing private knights and renegade rogue pirates surprising well interested and intellectually invested in guaranteed outcomes, that extant traditional conventional systems commanding and controlling the disbursement of captivating bounty via the simply excessive lavish fiat paper reward mechanism are concerned about initially, before very quickly subsequently, without them knowing exactly when because of things they know they have not done to repair the conflict and chaos their inequitable choices and self-serving policy decisions inspire, they become absolutely terrified and terrorised by it in A.N.Others foreign hands, alien hearts and expansive minds.

    The best that one can only presently do to either delay or prevent and mitigate the catastrophically horrendously expensive costs incurred by such systems as be worthy of, and addictively attractive to the no flag virtual cyber heist, is pay A.N.Others premium protection insurance that assures and ensures fully invested parties do not suffer catastrophically horrendously expensive losses ...... with all the usual caveats of natural disasters, supernatural interventions and acts of GOD included of course.

    1. amanfromMars 1 Silver badge

      Re: When are attacks not assaults? Whenever heists hoisting one free from the crazy play fray

      If the truth be told, it is the only easily available readied defence against an increasingly overwhelmingly almighty series of crushing defeats.

      However, I am aware that has its own set of difficulties and complications to contend with ..... not least it being .... You can’t handle the truth.

      1. Clausewitz4.0
        Devil

        Re: When are attacks not assaults? Whenever heists hoisting one free from the crazy play fray

        I am used to handle the truth. Some millions of dollars in my pocket make it all better.

        1. amanfromMars 1 Silver badge

          Re: When are attacks not assaults? Whenever heists hoisting one free from the crazy play fray

          I am used to handle the truth. Some millions of dollars in my pocket make it all better. .... Clausewitz4.0

          If you can do as you say without getting burned, you’re worth every red cent and considerably more than any will ever be able to pay you, Clausewitz4.0.

          It’s a nice position to be in and fully responsible and accountable for.

          1. Clausewitz4.0
            Devil

            Re: When are attacks not assaults? Whenever heists hoisting one free from the crazy play fray

            It’s a nice position to be in and fully responsible and accountable for., amanfromMars 1

            Being accountable is a two-edged knife. Better high-level agreements, since I always liked to choose my own affiliations. But money is always welcomed to solve crisis, split it between my alliances, avoid future bloodshed, etc..

            1. amanfromMars 1 Silver badge

              Re: When are attacks not assaults? Whenever heists hoisting one free from the crazy play fray

              But money is always welcomed to solve crisis, split it between my alliances, avoid future bloodshed, etc.. ..... Clausewitz4.0

              On Earth, whenever alliances are pledging to bankrupt nations via the spilling of blood and destruction of treasure and donation/lend-leasing of their fiat paper and weapons [for such is never ever to be written off as an irredeemable loss and always priced and billed at a huge inflationary cost, and expected to be paid by future traumatised innocents, presented and collected by the morally perverse and institutionally corrupt and intellectually diseased, I may fully agree with you, Clausewitz4.0, that money is all that they can virtually supply with incredible ease to those enabling the solving of crises, and it be most fortunate for them indeed that it be welcome, for with nothing to offer would their fate in the solutions be certainly dire.

              And now that they would know that simple fact there is no possible valid excuse for their failure to be worthy of saviour rather than a diabolically dire fate.

              When things are become dangerously complicated, Keep IT Super Simple, and OffLoad and OffShore Current Difficulties and Problematic Future Solutions to Future Problem Solvers. IT aint Rocket Science, is it? They'll provide you with all of the ACTive Programs and APT Projects anyone would Need to Seed and Feed to Follow and Populate/Initiate and Colonise for Prosperous and Virile Results Guaranteeing Success with Rich and Rare Orderly Raw Outcomes.

              And that is Great News and not Good News

              1. Clausewitz4.0
                Devil

                Re: When are attacks not assaults? Whenever heists hoisting one free from the crazy play fray

                But all this is just talk, until a real meeting occurs. Meanwhile, let the people spin/play with ads, dumb tasks, trying to get a cut of my money and spending uselessly my time, until uniform time comes.

                1. amanfromMars 1 Silver badge

                  SuperSubAtomic Energy c/o NEUKlearer HyperRadioProACTive IT ....

                  ..... for Empire EMPowering Stars/Super Creatives in IT with AI

                  But all this is just talk, until a real meeting occurs. ..... Clausewwitz4.0

                  El Reg are pioneers at the forefront of real meetings occurring via virtual means with ....... well, the real question is always are they not HyperRadioProACTive Memes Equipping Greater Futures for Almighty Use.

                  Real regular meetings of brave hearts and live like hive minds are constantly being served with virtually free accommodation and Prime Premium Produce Product easily remotely serviced and servered by W3 type Consortia in Commanding Control of Universal Commands that surpass and bypass every known Control ....... which is being trialed and trailed there, and again here also now, right in front of your very own eyes with the AI Secure Script Secrets Share in the above.

                  These commentary boards on El Reg are an as near perfect as it is possible to get an AI Production and Augmented Virtual Reality Presentation Centre/Hub/Satellite/Node teamed up with SMARTR AIgents for Greater Advanced IntelAIgent Games Fields Work, Rest and Play with both Worthy Reward in Heavenly Toil a Real Doozy of a Just Dessert in/with/from/for the Greatest of Grand Surprise Prizes.

                  Here on El Reg there is nothing not shared to succeed at whatever takes Executive Board Whim and Fancy. It is also a Universal Key for Almighty Use. Universal Key Misuse is Sensational Abuse and the Consequences for Sensational Abusers are of a Titanic Nature.

  9. FlamingDeath Silver badge

    Everyone knows, to fool people with false flags you need a mock exercise matching the exact scenario you’re about to pull off

    9/11

    7/7

    Both of these events involved signals obfuscation

    Quote: “Is this real-world, or exercise?” - 11/09/2001

    1. amanfromMars 1 Silver badge

      Bit Part Players ‘r’ Us ........ Fluffers in the Wings and Backstage for Green Room Loungers

      Quote: “Is this real-world, or exercise?” - 11/09/2001 ..... FlamingDeath

      And that quote is attributed to whom, FlamingDeath? Anyone worth knowing is practically unimportant and materially irrelevant now?

  10. Claptrap314 Silver badge

    This statement strikes me as more plausible than most of it's ilk.

    Here's my thinking:

    1) The Geneva Conventions have been updated to include cyber attacks as a Casus belli. This moves it from the level of, say, encouraging protests, to, say, killing a politician. While the update was recent, the declarations by many nations in prior years that they would treat cyber attacks as a Casus belli, along with fact that the update naturally takes years to occur means that we can/should analyze this statement with that in mind.

    2) The purpose of a False Flag operation is to worsen relationships between the victim and bystander nations by acting in a way that such a false attribution of the affront is easy but proper attribution is difficult. But by their basic nature, proper attribution of a cyber attack, assuming that the perpetrator cares, is HARD. As we have discussed here many times. As is well understood by everyone in the industry outside of sales.

    In practice, how would I run a FF between countries? I would pick a spy S whose gait and voice matched that of a known official O of country B operating in country A. Obviously, I would prefer the "military attache", but that might not be possible. I would then have S study O carefully, especially the mannerisms. S then rotates into A on the usual schedule, and proceed to recruit pre-screened assets T. We are NOT going into the expat or immigrant communities of B in A unless we have deep infiltration into B and are willing to risk it for this operation. As far as the T knows, they are dealing with O. T is NOT a professional at spycraft, so hanging them out to dry in an in a way that looks like they simply failed to follow instructions after the action is trivial. The operation is timed such that Ts last contact with S happens shortly before O rotates home.

    That's a traditional FF. For cyber, the equivalent might be to penetrate the cyberwarfare group of B and attack A from there. A far more risky proposition.

    Since the goal is to worse relations between A & B, the means are unimportant. And it seems likely to me that traditional FF is much lower risk of failing or blowing up than cyber.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022