back to article How to fool infosec wonks into pinning a cyber attack on China, Russia, Iran, whomever

Faking digital evidence during a cyber attack – planting a false flag – is simple if you know how, as noted infosec veteran Jake Williams told London's Black Hat Europe conference. Speaking to a packed room, Williams informed his rapt audience that it's straightforward to misdirect investigators trying to attribute a cyber …

  1. _LC_

    Don't we?

    > “Be on your guard and cross-reference your attribution attempts carefully against all the data points you have. You never know who's trying to fool you.”

    At this point, when it comes to the media and their daily claims – don't we?

    When the US forced their population into entering WW1, even though they were categorically against doing so, they came up with poop like this:

    - German soldiers were deliberately mutilating Belgian babies by cutting off their hands

    - or even eating them

    - Belgian women, often nuns, had their breasts cut off by the Germans

    And then:

    - Hamburgers were renamed into “liberty steaks”

    - Sauerkraut got renamed into “liberty cabbage”

    Sounds familiar?

    Unless you're four years old, you should have already seen those repetitions of the repetitions. It's not really that hard to figure out, who's pulling the strings. Hint: It's always the same *unts!

    1. Sgt_Oddball

      Re: Don't we?

      Apart from the Belgians had actually pretty much done that in the Congo but it was fine since that's black people in Africa...

      Yes, some stuff is made up but usually there's far worse crimes (like us Brits having an anti drug stance when 150 years ago we were the world's biggest drug pushers) that don't need to be made up.

      1. big_D Silver badge

        Re: Don't we?

        And the inventors of concentration camps in the second Anglo-Boer war...

    2. Suricou Raven

      Re: Don't we?

      Plus the Lusitania incident. Shipping vital munitions to Britain on a passenger ship, using the passengers as human shields. Put Germany in a very awkward situation: Either they ignore the Lusitania, thus allowing a safe means by which Britain can be resupplied by their officially-neutral ally America, or they classify the ship as a war supply and sink it, but in doing so have to kill a great many American civilians, thus giving the American government a justification they can use to convince their reluctant population to support a declaration of war. A lose-lose situation.

      Germany choose the latter.

      1. Anonymous Coward
        Anonymous Coward

        Re: Don't we?

        I think the biggest single thing pushing the US public into WWI was not "Belgian Evil Acts" or the Lusitania, but a German letter that asked Mexico if they would go to war with the US on the German side - this during a time when there were frequent skirmishes and incursions by the US into Mexican territory chasing after people like Pancho Villa, so Mexico was rather ticked off by the US, and the US equally concerned about a major border war.

      2. Happytodiscuss

        Re: Don't we? Load the tubes we're going home boys

        In retrospect its clear that the Lusitania was carrying arms to Liverpool. It is unclear that the u-boat captain knew about the arms.

        It was clear, or at least the fog cleared on the last day of their time in the Irish Sea on that tour, and the Germans had been chasing other ships to sink when they came across the Lusitania, and fired the last of their torpedoes.

        Happy as clams, the u-boat exited the Irish Sea back to their home port on that day. That captain was later killed themselves I think.

        Arrogance, ignorance, and brutality to spare I would say, on both sides.

    3. Anonymous Coward
      Anonymous Coward

      Re: Don't we?

      Oh dear...

      - Hamburgers were renamed into “liberty steaks”

      - Sauerkraut got renamed into “liberty cabbage”

      What does that make Captain America then?

      1. Danny 2

        Re: Don't we?

        Gruppenführer Großgermanisches Reich? Gruppenführer Rogers?

  2. iron Silver badge

    I've been saying for years that attributing malware to a specific country on the basis of the language of comments or build timestamps is total crap. If I were writing a virus I'd set my clock to another TZ and sprinkle the code with comments and variable names in a language used in that TZ. You don't even need to deal with them during development, just change them before the final build.

    Of course a little truth gets in the way when you want to be first attribute the latest buzzword named threat to the current enemy du jour.

    1. Anonymous Coward
      Anonymous Coward

      So, when our MIC wants a war with, say, Iran, they simply create an attack that seems to come from Iran, and do it convincingly enough so that even some independent analysis says "yeah, likely Iran".

      Because that's so easy, and we know of more than one program designed to mask our own attacks on others. For example, the CIAs UMBRAGE.

      Just like other propaganda mentioned above, only the tools change. Sorry human nature, not so much.

      One begins to wonder how much of what we are told isn't some kind of falsehood, I'm beginning to suspect that things that aren't outright lies are instead spin, with the former taking more precedence of late.

      "Our mission will be complete when everything everyone believes is a lie"...

      Just relax and let your self-appointed betters decide on things. Thinking is *hard*.

      1. Blackjack Silver badge

        So... did they actually find those pesky nuclear weapons? (No, they didn't).

        Funny how people can find different meanings from the exact same text.

        1. Robert Carnegie Silver badge

          Which nuclear weapons? Do you mean the ones that weren't in Iraq, or the ones that weren't in Iran?

          Or do you mean chemical weapons from Iraq or from Syria or from Edinburgh Airport or...

      2. NetBlackOps

        I stopped wondering a long time ago. Then again, I draw my news from all over the planet.

      3. W.S.Gosset

        > One begins to wonder how much of what we are told isn't some kind of falsehood, I'm beginning to suspect that things that aren't outright lies are instead spin, with the former taking more precedence of late.

        After one particular shock in 2004, I started paying attention.

        A key finding over the last decade and a half: ANY time there's a Virtue Meme involved, you're being lied to. Without exception so far. Right down to things like modern pesticides nuking bees.

        Another: self-appointed elitism types edit HARD for plebs. Eg, I discovered on one of my Covid deep-dives that the Australian public service & medicos have been lying to the plebs for many many years about the Flu death rate. Insider documents are strongly different from pleb/public documents; Australia's 5yr average case fatality rate for Flu CFR (0.30%) is six (6) times our Covid Omicron CFR (0.0485%). Another: the UK's NHS lies about smoking vs lung cancer, eg quoting different years' rates for smoking vs lung cancer, because lung cancer's going the "wrong" way as smoking declines; eg, smoke a packet a day from 18 till 80 and you've got only a 1 in ~25 chance of lung cancer.

    2. Danny 2

      "If I were writing a virus I'd set my clock to another TZ and sprinkle the code with comments and variable names in a language used in that TZ."

      I saw Iron's first draft here:

      "Whenever I was writing a virus I'd set my clock to another TZ and sprinkle the code with comments and variable names in a language used in that TZ."

      And I doubt he is French despite his obvious mastery of the language.

    3. bombastic bob Silver badge
      Thumb Up

      any black-hat worth his hat color would assume a few things up front, and most likely know what info is being sent or left behind when malware strikes, and ALSO know what to modify in order to cover his own tracks.

      Otherwise he'd be laughed at for being such a "script kiddie". It kinda reminds me of the movie 'Hackers' when one of the n00b guys tries to impress his friends by cracking into "the Gibson", but he did it from his home phone, such that the call could be traced. And of course, it was. Anyway, it (somewhat humorously) illustrates the point that if you do something nefarious, you have to leave no breadcrumbs.

      Or, in consistency with the article, plant bread crumbs that lead authorities to the wrong place.

      (I'm a white hat hacker with a touch of grey - I'm not opposed to doing things that might be considered 'black hat' if it's for the right reasons)

  3. b0llchit Silver badge

    Pointing fingers and yelling

    Whenever you have a bunch of kids pointing fingers and yelling "he did it" and "she did it" you simply know to ignore all those messages. The kindergarten has evolved into a house of gray-aged kids pointing and yelling.

    Please tell me, society has moved on. Oh, sorry, I was being optimistic.

  4. Anonymous Coward
    Anonymous Coward

    What would this article be...

    without the mention of the CIA's Marble Framework?

    "The CIA's Marble Framework tool includes a variety of different algorithm with foreign language text intentionally inserted into the malware source code to fool security analysts and falsely attribute attacks to the wrong nation."

  5. Anonymous Coward
    Anonymous Coward

    So easy to pin it on anyone you [dis]like as well?

    1. Jimmy2Cows Silver badge

      I think that goes without saying for a false-flag attack.

      1. bombastic bob Silver badge

        false flag is as old as warfare. Stealthily attack your enemy, blame their OTHER enemy for it.

        Sun Tzu's book is full of stuff like this.

        As far as general deception goes, it's like "the art of warfare is deception".

        Being 12/7 (Pearl Harbor day for those who failed history, ha ha ha) I ought a leave a nice WW2 example of deception in warfare, of how prior to D day, General Patton was put in charge of a fake army complete with rubber tanks and jeeps, which were basically movie props, moved about by soldiers every day so that it would look like a real army to Nazi reconnaissance. They made it look as best as they could that they were going to invade at Pas de Calais, but it was really Normandy [which we all know from history class]. Anyway, this kind of thing is as old as warfare, too.

  6. Claptrap314 Silver badge

    This is news?

    Seriously? I mean, I get it that this stuff might not be part of the first day lecture on InfoSec 101, but surely it would be covered by the end of the second week!

    This sort of thing has been understood for decades.

    If the attack signature is that of a sophisticated actor, then start with the assumption that it is a state actor. Then ask yourself, "which state actors might have elements that want me to think that I'm being attacked by the apparent source of these attacks?" Proceed accordingly.

    1. RichardB

      Re: This is news?

    2. Anonymous Coward
      Anonymous Coward

      Re: This is news?

      "This sort of thing has been understood for decades".

      And it's been systematically ignored for decades, too.

      Even The Reg, intelligent and enlightened organ that it is, has been guilty of some pretty wicked headlines - at least.

      Just recently, there was "Google: We caught a Russian state hacker crew uploading badness to the Play Store"

      I wrote to The Reg's corrections email address to complain that the headline utterly perverts the content of the article. But nothing was changed. (It's one of the oldest tricks in the book to publish an article saying weakly, "So-and-so said X did something bad", and then headline it "Kremlin caught in the act murdering children").

      Just read the comments on the article I cite above, and see how many readers were (at least) unsure what to make of it.

      1. Pascal Monett Silver badge

        Um, confusing El Reg and the NSA is quite a leap to make. I'm not following you there.

        With El Reg, the headlines are to grab your attention. With the NSA, the headlines are to make you go home and lock yourself in.

        1. Anonymous Coward
          Anonymous Coward

          An important distinction

          "With El Reg, the headlines are to grab your attention".

          Which they usually do with admirable accuracy, elegance and humour.

          However, a respectable news publisher is obliged to make sure its headlines are not untrue - and do not deliberately imply untruths.

          Who brought the NSA into it, anyway? I didn't. I did assume that most readers would be aware that the US government and its agencies have prided themselves for decades on controlling what the media report - often actually writing every single word themselves, before getting a newspaper, magazine or broadcaster to publish it under some unfortunate hack's name.

          That's obviously not the case with the present article by Gareth Corfield, which is refreshingly honest and informative. So much so that it rather makes me concerned for his health, or at least his career prospects.

          Not so much with his previous piece, "Google: We caught a Russian state hacker crew uploading badness to the Play Store".

          1. Jellied Eel Silver badge

            Re: An important distinction

            Who brought the NSA into it, anyway?

            They're everywhere, and invite themselves. Allegedly.

            I didn't. I did assume that most readers would be aware that the US government and its agencies...

            Dig a little deeper than the MSM when it comes to detection and attribution. And state agencies may have different motivations. So suppose an attack actually originated in Ukraine, but was made to look like Russia. Ukraine doesn't exactly like Russia, and our agencies may decide to run with 'Russian Hackers' anway, because that's geopolitics. Same could happen with Iran, because they're unpopular in some places, or China. Years ago a lot of spam originated from China (not Hormel), but oddly advertised Western spam-slinger's products.. Because a lot of Chinese devices weren't very well secured & exploitable by Western spamvertisers.

            Problem with the MSM is they generally don't have any decent infosec reporters, so run with whatever they're told.. Especially if they have political motivations or biases of their own.

    3. a_yank_lurker

      Re: This is news?

      To those in the trenches, no. But to the rest, yes. Spoofing by various means is a well known technique to hide one's location or to trick someone to the experts and those who are very aware. But to the general public, they are blissfully ignorant. Even those who are aware may not realize how easy some of the techniques are to use and how difficult they are to trace back to the originator.

      1. Michael Wojcik Silver badge

        Re: This is news?

        Part of the point of Williams's talk was that many "in the trenches" do, in fact, fall for this easily-falsified evidence, and he gave specific examples.

        A good security researcher's threat model includes the vast array of psychological traps the human mind is prone to, including confirmation bias. Knowing those things exist is easy; it's much harder to compensate for them.

  7. vtcodger Silver badge

    The scariest line in the article

    "Policy and corporate leadership don't understand how easy it is to fake digital evidence,"

    Come to think of it, "policy and corporate leadership don't understand" seems to pretty much sum up the state of humanity in the early 21st century.

    (The one thing I don't understand is why ALL malware doesn't contain abundant clues leading to Langley and/or Ft Meade. It'd be easy enough to do. And entirely credible.)

    1. DCFusor

      Re: The scariest line in the article

      Oh yes, you bet they understand!

      They're just counting on us not understanding it...

      I love that "it has to be a state actor" as if pretty much every software advance that has occurred has been done by private entities.

      Most state projects would be failures if not backed by force and paid for by taxes or money printing.

      1. Claptrap314 Silver badge

        Re: The scariest line in the article

        Opportunity and motive have to coincide. While state actors might often fail to attract the best talent, their effectively limitless budgets provide an opportunity to execute on their desires to **** various populations as desired. And they desire.

  8. John Smith 19 Gold badge

    This is why I've never considered being a hacker.

    It's all the anticipation needed to avoid getting caught, and planting all that evidence to ensure someone else takes the wrap.

    It's just exhausting.

    But note to investigators.

    Trust nothing that you find on compromised network.

    It may be correctly recording what attackers have done.

    Or it could be a carefully managed mirage staged for your benefit.

  9. Anonymous Coward
    Anonymous Coward

    It's good its being said but it's always been pretty obvious that this was possible because at the end of the day it's a program and if they want it to look like it's from a different place then they just use the tools and settings someone from that place would use. Networking has always been open to spoofing since day dot.

    As I've said before I always look at stuff like that with a pinch of salt and use the balance of probability. Who would have most to gain by doing it versus who would have most to gain by moving the blame to someone else. So when someone for example blames Korea for hacking Sony I call bullshit though it was great timing for the film "the interview" which was released shortly after. I always found it odd that a country could get offended about a film they hadn't even seen yet.

    1. Chris G

      It seems to me that much of the time, when someone has been a naughty boy/girl/person online that correct attributions are not that important because they can be used as a political weapon, so when Badboy in France uses pointers that give the impression his work originated in North Korea, a lot of people are delighted that they can then use that to point fingers at the Norks even if they are innocent of the particular jaunt.

  10. MooJohn

    Prince Humperdinck?

    So all you have to do is plant a piece of fabric from a Guilder army uniform on Buttercup's horse and it'll allow Florin to declare war on them? Looks like The Princess Bride had this nailed 32 years ago!

  11. Anonymous Coward
    Anonymous Coward


    You know how in the horror movies they always have some frightened shmuck in a darkened room trying to figure out how to escape the monster? First they are wide-eyed staring in one direction while backing up in the reverse direction, then they hear a noise, jump, turn-around and start backing in the opposite direction, again, and again, and ...

    It sounds like individuals have settled on their favourite baddest of the bad guys, usually the ones they (think) they know best, and keep pointing into the dark - I see you CIA! I see you MI6!

    If you're sure, you're meat. That was Williams' message, right?

    Anyway, boo!

  12. Anonymous Coward
    Anonymous Coward

    "...crafty black hats from elsewhere..."

    Where "elsewhere" is your own country.

  13. Cynic_999

    It's too simpled to be anonymous

    Even an individual will not find it difficult to ensure that there are no clues as to the place a bit of malware originated, and is it just as easy to plant false clues as it is to provide no clues.

    Thus if there are any clues/evidence as to the origin, then it is far more likely than not that it is false clues or evidence, especially if the purpose is political and so likely to be a state actor rather than a private individual.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's too simpled to be anonymous





      If it's that simple to be anonymous, then why is PRIVACY impossible?


      If it's that simple to be anonymous, how come Google has built a billion dollar business in targeted ads?


      Sarcasm (if that's what it is) needs to be at least superficially plausible!

      1. bombastic bob Silver badge

        Re: It's too simpled to be anonymous

        agreed, being truly anonymous is difficult these days. we all have an IP address, and it doesn't change often even for dynamic providers... unless you're behind an ISP NAT, in which case the ISP would have to divulge which IP you're on.

        the tracking techniques employed within/by browsers and web servers have been mentioned in too many 'The Register' articles to count, more recently THIS one (using DNS to stealthily track you).

  14. Anonymous Coward

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like