When hackers broke into computers across Israel’s government and tech companies, investigators looked for clues to find out who was responsible. The first evidence pointed directly at Iran, Israel’s most contentious geopolitical rival. The hackers deployed tools normally associated with Iranians, for example, and wrote in the Farsi language.
But after further examination of the evidence—and information gathered from other cyber-espionage cases across the Middle East—analysts realized it was not an Iranian operation. Instead, it was conducted by Chinese operatives posing as a team of hackers from Tehran.
The hackers successfully targeted the Israeli government, technology companies, and telecommunication firms—and by deploying false flags, it appears, they hoped to mislead analysts into believing the attackers were from Israel’s regional nemesis.
New research from the American cybersecurity firm FireEye, working with the Israeli military, exposes the failed deception and describes the techniques the hackers used to in their effort to put the blame elsewhere.
Many of their tactics were fairly blunt attempts to suggest they were Iranian spies, according to the research paper, such as using file paths containing the word “Iran.” But the attackers also took pains to protect their true identities by minimizing the forensic evidence they left on compromised computers, and hiding the infrastructure they used to break into Israeli machines.
But their ploy to point the finger at Iran failed. The hackers, whom FireEye refers to as UNC215, made several key technical mistakes that blew their cover and strongly linked them back to their previous work. For example, they used similar files, infrastructure, and tactics across multiple operations in the Middle East.
“There are pieces that will distinguish the operator or their sponsor,” says John Hultquist, vice president of threat intelligence at FireEye. “They will bleed through multiple operations regardless of deception.”
On top of multiple technical giveaways, another important clue is the kind of information or victims that the hackers targeted. UNC215 repeatedly attacks the same kinds of targets in the Middle East and Asia, all of them directly related to China’s political and financial interests. The group’s targets overlap with those of other Chinese hacking groups, which do not always coincide with the interests of known Iranian hackers.
“You can create significant deception, but ultimately you have to target what interests you,” Hultquist says. “That will provide information on who you are because of where your interests are.”
The only obvious countermove to this problem is to put investigators off the trail by going after targets that aren’t really of interest. But that causes its own issues: raising the volume of activity vastly increases the chances of getting caught.
The fingerprints left by the attackers were enough to eventually convince Israeli and American investigators that the Chinese group, not Iran, was responsible. The same hacking group has used similar deceptive tactics before. In fact, it may even have hacked the Iranian government itself in 2019, adding an extra layer to the deception.
It is the first example of a large-scale Chinese hack against Israel, and comes in the wake of a set of multibillion-dollar Chinese investments in the Israeli tech industry. They were made as part of Beijing’s Belt and Road Initiative, an economic strategy meant to rapidly expand Chinese influence and reach clear across Eurasia to the Atlantic Ocean. The United States warned against the investments on the grounds that they would be a security threat. (The Chinese embassy in Washington, DC, did not immediately respond to a request for comment.)
Misdirection and misattribution
UNC215 ’ s attack on Israel was not particularly sophisticated or successful, but it shows how important attribution—and misattribution—can be in cyber-espionage campaigns. Not only does it provide a potential scapegoat for the attack, but it also gives diplomatic cover to the attackers: when confronted with evidence of espionage, Chinese officials regularly argue that it is difficult or even impossible to trace hackers.
And the attempt to misdirect investigators raises an even bigger question: How often do false-flag attempts fool investigators and victims? Not that often, says Hultquist.
“The thing about these deception efforts is if you look at the incident through a narrow aperture, it can be very effective,” he says. But even if an individual attack is successfully misattributed, An individual attack may be successfully misattributed, but over the course of many attacks it becomes harder and harder to maintain the charade. That’s the case for the Chinese hackers targeting Israel throughout 2019 and 2020.
“Once you start tying it to other incidents, the deception loses its effectiveness,” Hultquist explains. “It’s very hard to keep the deception going over multiple operations.”
The best-known attempt at misattribution in cyberspace was a Russian cyberattack against the 2018 Winter Olympics opening ceremony in South Korea, dubbed Olympic Destroyer. The Russians attempted to leave clues pointing to North Korean and Chinese hackers—with contradictory evidence seemingly designed to prevent investigators from ever being able to come to any clear conclusion.
“Olympic Destroyer is an amazing example of false flags and attribution nightmare,” Costin Raiu, director of the global research and analysis team at Kaspersky Lab, tweeted at the time.
Eventually, researchers and governments did definitively pin the blame for that incident on the Russian government, and last year the United States indicted six Russian intelligence officers for the attack.
Those North Korean hackers who were initially suspected in the Olympic Destroyer hack have themselves dropped false flags during their own operations. But they were also ultimately caught and identified by both private-sector researchers and the United States government, which indicted three North Korean hackers earlier this year.
“There’s always been a misperception that attribution is more impossible than it is,” says Hultquist. “We always thought false flags would enter the conversation and ruin our entire argument that attribution is possible. But we’re not there yet. These are still detectable attempts to disrupt attribution. We are still catching this. They haven’t crossed the line yet.”