This problem can be countered by putting investigators on the trail and going after targets that don't really interest them. This has its problems: increasing the volume of activity greatly increases the chance of being caught.The fingerprints left behind by the attackers convinced Israeli and American investigators that it was not Iran responsible. Similar deceptive tactics have been used by the same hacking group before. It is possible that it even hacked into the Iranian government in 2019, adding another layer of deceit.This is the first instance of a large-scale Chinese hacking against Israel. It comes after a series of multibillion-dollar Chinese investments into the Israeli tech sector. These hacks were part of Beijing's Belt and Road Initiative. This economic strategy aims to expand Chinese influence and reach across Eurasia and the Atlantic Ocean. The United States warned against these investments, claiming they could pose a security risk. (The Chinese Embassy in Washington DC did not immediately respond when we asked for comment.Misdirection, misattributionAlthough UNC215's attack on Israel wasn't particularly successful or sophisticated, it highlights the importance of misattribution in cyber-espionage campaigns. It not only provides a possible scapegoat for attack but also serves as diplomatic cover to the attackers. Chinese officials often claim that it is impossible or impossible to trace hackers when presented with evidence of espionage.The attempt to misdirect investigators raises a bigger question: How frequently do false flag attempts fool victims and investigators? Hultquist says that it is not often.These deception attempts can be very effective if you view the incident through a narrow lens. Even if an attack is misattributed successfully, it can be very difficult to maintain the illusion over time. This is what happened to the Chinese hackers who targeted Israel in 2019 and 2020."It is very difficult to keep the deception alive over multiple operations." John Hultquist of FireEyeHultquist explained that once you tie it to other events, the deception loses effectiveness. It is very difficult to maintain the deception over multiple operations.One of the most well-known attempts at misattribution in cyberspace was a Russian attack on the 2018 Winter Olympics opening ceremony, South Korea. It was called Olympic Destroyer. With contradictory evidence, the Russians tried to hide clues that pointed to Chinese hackers and North Korean hackers. This was apparently to stop investigators from coming up with any clear conclusions.Olympic Destroyer is a stunning example of false flags, attribution nightmares, Costin Raiu (director of the global research analysis team at Kaspersky Lab) tweeted at the time.Researchers and governments eventually pinned the blame on Russia. Six Russian intelligence officers were indicted by the United States last year for the attack.The North Korean hackers involved in the Olympic Destroyer hack were initially suspects. However, they have also dropped false flags during operations. They were eventually caught by private-sector investigators and the United States government. Three North Korean hackers were indicted earlier this year.Hultquist says that there has been a misconception that attribution is harder than it actually is. False flags were always a possibility. They would ruin the argument that attribution was possible. They weren't yet. These are still possible attempts to derail attribution. This is still being detected. They have not crossed the line yet.
