News Brief

UK investigation reveals Russian hackers impersonated Iranian hackers

What makes cyberwarfare so unlike traditional war is that it’s sometimes much harder to know — much less prove — who attacked you. This creates a situation of relative impunity, where the ingenuity and impact of cyberattacks grows ever greater, but deterrence is always a step behind.

Of course, there are certain ways you can tell who attacked you — the methods they used, the servers they used. But even that boon has a dark side: As was revealed this week, hackers can use them to pretend they’re someone else.

According to a new report from UK and U.S. intelligence agencies, this is what Russia has done on a massive scale. The government-linked Turla group allegedly used Iranian hacking methods to attack 35 countries, creating the impression that Iranians were behind the attacks. In the language of pre-digital warfare, this was a false flag. The majority of the victims were in the Middle East, and at least 20 countries were successfully compromised.

The British Cyber Security Center’s director of operations told the Financial Times it was “a real change in the modus operandi of cyber actors.”

Alexander Klimburg, director of the Cyber Policy and Resilience Program at The Hague Centre for Strategic Studies, said the disclosure by U.S. and UK authorities can help the public understand that cyberattacks are difficult to attribute.“I think it helps by showing that attribution is a delicate issue and we should be careful in quickly jumping to conclusions,” said Klimburg in an interview. “This not only makes the public a little bit more wary but it also means that politicians and the media won’t always get the easy answer is that they want.”

But the fact that British and American intelligence revealed that they knew about the impersonation is an important story in itself. When agencies make these kinds of announcements, they are often guided by complex geopolitical calculation and strategy.

“It’s not often that intelligence agencies reveal the extent of their capabilities by unmasking…actors that are used in false flag attacks. It cost them a lot to do so,” Klimburg explained.

So why did they go public?

“One possible answer might be that they were worried this…network was going to be used to carry out a highly destructive attack and wanted to warn the Russians that it wasn’t going to fly,” Klimburg said. “Similarly, it may be an attempt to warn that the supposed Iranian disinformation campaign against the U.S. recently uncovered on Instagram and Facebook might actually also be of Russian origin.”

Ultimately, though, he said the main goal of the disclosure is likely to discourage further false flag attacks in cyberspace, a practice that can turn dangerous if states retaliate against the wrong adversary. Wired has an interesting run-down of other times Russian hackers have pretended not to be Russian hackers.

“Overall…[the disclosure] aims to help push back against a rising trend, namely that a false flag attack — and I particularly worry about fake cyber terrorism — may be used to influence the geopolitical narrative,” said Klimburg.