According to a new joint report from the U.S. National Security Agency (NSA) and the UK’s National Cyber Security Centre (NCSC), Russian hackers have been masquerading as Iranian hackers in order to access sensitive government, military and commercial secrets in 35 countries. What’s important to note here is that the Russian hacking group known as Turla was not just imitating the tactics and techniques of the Iranian hackers known as OilRig – they were literally breaking into the IT infrastructure of these hackers, co-opting their hacking tools, and taking over their servers in order to carry out their attacks. The upshot of all this, of course, is that cyber attacks originally attributed to the Iranians might actually be the work of the Russians.
Plausible deniability in the cyber realm
All of this, of course, raises the question of why the Russians would be doing this in the first place. The most obvious suggestion raised by Western cyber experts and U.S. intelligence agencies, is that the Russian hackers were actually working under the direction of either the FSB (Russia’s federal security service) or the GRU (Russia’s largest foreign intelligence agency), and were carrying out these attacks at the request of the Kremlin. This approach would give the Kremlin “plausible deniability” if the hacker attackers were ever made public.
The fundamental assumption of the plausible deniability defense is that “without substantial proof, there can never be substantial repercussions.” In short, it would be close to impossible to levy economic or diplomatic sanctions against high-ranking Russian officials if an attack could never be traced back to Moscow. For that reason, the Russian group of hackers needed a clever way to “mask” their surveillance and counter-intelligence activities in dozens of countries, and one of the easiest ways to do that was by co-opting the hacking tools and techniques of the Iranian hackers. In fact, according to U.S. and UK officials, it now looks like the Russian hackers actually took over some Iranian hacker operations already in progress, often without the knowledge of the Iranians.
Cyber false flags
Another possible explanation for why the Russian hackers decided to piggyback on the exploits of the Iranian hackers could be the desire to carry out “false flag” attacks in the cyber realm. In the military realm, a false flag attack is generally carried out by one government under the guise of another, so as to get the victim to respond in the wrong way.
For example, consider the recent string of high-profile hacks taking place not just in the Middle East, but also in Europe, the UK and the United States. If Russia has a desire to provoke the West into a war with Iran, what better way to do that than to set up a cyber “false flag” event?
Say, for example, that a major attack was carried out against an electric grid operator in the United States, leading to catastrophic effects and a potential “grid down” scenario. Wouldn’t the U.S. interpret this as an act of war, and seek retribution against whoever carried out this attack? If the cyber attack bears all the fingerprints of the Iranian hackers (both in terms of the tools and techniques used), wouldn’t the natural reaction of the U.S. be to carry out a massive counter-strike against Iranian cyber targets?
Russian hackers disrupting the global cyber order
As security experts have pointed out, Russian hackers are no strangers to the world of cyber false flags and cyber attacks carried out at the behest of government, military or intelligence entities. For example, back in 2014, Russian hackers calling themselves Cyber Berkut carried out a number of attacks against Ukraine’s Central Election Committee, with some of them acting under the guise of Ukrainian “hacktivists.” Then, in 2015, Russian hackers were linked to false flag cyber attacks in France under the guise of a hacker group calling itself the Cyber Caliphate – a clear attempt to link those attacks back to Islamic radicals within France. Then, in the 2016 U.S. presidential election, Russian hackers worked in the shadows to sow confusion and doubt in the American electorate, at times hiding behind the exploits of a Romanian hacker known as Guccifer 2.0.
After 2016, Russian hackers really stepped up their attacks, this time transitioning into ransomware attacks. Perhaps the most infamous of these ransomware attacks was the creation in 2017 of NotPetya, a strain of ransomware specifically targeted against the Ukrainian power grid. These ransomware attacks were ultimately linked by Western intelligence officials to Russian military intelligence, suggesting that the Kremlin was carrying out offensive cyber attacks through any number of its Russian hacker proxies. Then, in 2018, Russian hackers were once again linked to cyber attacks at the Winter Olympics, presumably in retribution for the ban of Russian athletes from the event on doping charges. What’s interesting to note, however, is that the Russian hackers covered their tracks in the Olympic Destroyer attack by making it appear that the attack might have emanated from either China or North Korea.
The complex logic of cyber counterattacks against Iranian hackers
Based on just these examples, it’s easy to see why cyber operations are such a complex matter. First and most importantly, there is the matter of attribution, since it can be very hard to tell where attacks are originating from, or which entities are really behind a cyber attack. With Russian hackers now impersonating Iranian hackers, the situation is getting even more complex. When deciding how to respond, cyber intelligence officials now have to be very careful that they are not the victim of a false flag cyber attack. Imagine, for example, if the United States decided to launch a cyber offensive against Iran in the Middle East, when in fact, the original cyber attacks were not from the Iranian hackers. That whole process might lead to war in the region, with very unpredictable consequences.
For that reason, the U.S. and UK officials behind the investigation into Russian hackers masquerading as Iranian hackers sent a very clear message to the world: “Even when cyber actors seek to mask their identity, our capabilities can identify them.” Hopefully, that warning – backed by the full offensive and defensive cyber capabilities of the U.S. government – will be enough to deter Russian hackers and other rogue cyber actors.