The only obvious countermove to this problem is to try putting investigators off the trail by going after targets that aren’t really of interest. But that causes its own issues—raising the volume of activity vastly increases the chances of getting caught—which raises a Catch-22 dilemma for the hackers.
The fingerprints left by the attackers were enough to eventually convince Israeli and American investigators that the Chinese group, not Iran, was responsible. The same hacking group has prior form, having used similar deceptive tactics before. In fact, it may even have hacked the Iranian government itself in 2019, adding an extra layer to the deception.
It is the first example of a large-scale Chinese hack against Israel, and comes in the wake of a set of multi-billion dollar Chinese investments into the Israeli tech industry. They were made as part of Beijing’s Belt and Road Initiative, an economic strategy meant to rapidly expand Chinese influence and reach clear across Eurasia to the Atlantic Ocean. The United States warned against the investments on the grounds that they would be a security threat. The Chinese Embassy in Washington D.C. did not immediately respond to a request for comment.
Misdirection and misattribution
UNC215’s attack on Israel was not particularly sophisticated or successful, but it shows how important attribution—and misattribution—can be in cyberespionage campaigns. Not only does it provide a potential scapegoat for the attack, but it also provides diplomatic cover for the attackers: When confronted with evidence of espionage, Chinese officials regularly attempt to undermine such accusations by arguing that it is difficult or even sometimes impossible to trace hackers.
And the attempt to misdirect investigators raises an even bigger question: How often do false flag attempts fool investigators and victims? Not that often, says Hultquist.
“It’s still fairly rare to see this,” he says. “The thing about these deception efforts is if you look at the incident through a narrow aperture, it can be very effective.”
“It’s very hard to keep the deception going over multiple operations.”
John Hultquist, FireEye
An individual attack may be successfully misattributed, but over the course of many attacks it becomes harder and harder to maintain the charade. That’s the case for the Chinese hackers targeting Israel throughout 2019 and 2020.
“But once you start tying it to other incidents, the deception loses its effectiveness,” Hultquist explains. “It’s very hard to keep the deception going over multiple operations.”
The best known attempt at misattribution in cyberspace was a Russian cyberattack against the 2018 Winter Olympics opening ceremony in South Korea. Dubbed Olympic Destroyer, the Russians attempted to leave clues pointing to North Korean and Chinese hackers—with contradictory evidence seemingly designed to prevent investigators from ever being able to come to any clear conclusion.
“Olympic Destroyer is an amazing example of false flags and attribution nightmare,” Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab, tweeted at the time.
Eventually researchers and governments did definitively pin the blame for that incident on the Russian government, and last year the United States indicted six Russian intelligence officers for the attack.
Those North Korean hackers who were initially suspected in the Olympic Destroyer hack have themselves dropped false flags during their own operations. But they were also ultimately caught and identified by both private sector researchers and the United States government who indicted three North Korean hackers earlier this year.
“There’s always been a misperception that attribution is more impossible than it is,” says Hultiquist. “We always thought false flags would enter the conversation and ruin our entire argument that attribution is possible. But we’re not there yet. These are still detectable attempts to disrupt attribution. We are still catching this. They haven’t crossed the line yet.”
