Conducting a Successful False Flag Cyber Operation (Blame it on China)

Conference:  BlackHat EU 2019



The presentation discusses false flag operations in cybersecurity and how attackers use them to sow doubt and confusion. It also covers various techniques used in different phases of the kill chain to carry out false flag operations.
  • False flag operations are used by attackers to sow doubt and confusion
  • Sowing doubt is often the primary goal of a false flag operation
  • False flag techniques can be used in different phases of the kill chain
  • Mathematical clustering and modifying compile times can be used to detect false flags
  • Delivery of false flags can be done through VPN and infrastructure providers
  • OPSEC mistakes can also expose false flags
The speaker shares a personal anecdote about how he has used SSH port forwarding and IP tables to troubleshoot and save the day when Metasploit route command fails during an attack.


Cyber attribution is hard, really hard. But luckily for attackers, a new armchair analyst is born every minute. Given any high profile hack, Captain Attribution™ is sure to show up and tell you how obvious it is that {China|Russia|USA|Israel|Iran|USA} hacked your network. But how hard is it to conduct a false flag cyber operation? Turns out it's probably easier than you think. In this session, we'll examine some keys to a successful false flag operation. The subject of false flag operations has long been popular, but with a number of recent high profile hacking operations, the idea of false flag cyber operations has become a household term. Nation states are resorting to these attacks as well - Russia was caught red handed trying to blame Lazarus for the Olympic Destroyer attacks.