Wednesday, March 08, 2017

A note about "false flag" operations

There's nothing in the CIA #Vault7 leaks that calls into question strong attribution, like Russia being responsible for the DNC hacks. On the other hand, it does call into question weak attribution, like North Korea being responsible for the Sony hacks.

There are really two types of attribution. Strong attribution is a preponderance of evidence that would convince an unbiased, skeptical expert. Weak attribution is flimsy evidence that confirms what people are predisposed to believe.


The DNC hacks have strong evidence pointing to Russia. Not only does all the malware check out, but also other, harder to "false flag" bits, like active command-and-control servers. A serious operator could still false-flag this in theory, if only by bribing people in Russia, but nothing in the CIA dump hints at this.

The Sony hacks have weak evidence pointing to North Korea. One of the items was the use of the RawDisk driver, used both in malware attributed to North Korea and the Sony attacks. This was described as "flimsy" at the time [*]. The CIA dump [*] demonstrates that indeed it's flimsy -- as apparently CIA malware also uses the RawDisk code.

In the coming days, biased partisans are going to seize on the CIA leaks as proof of "false flag" operations, calling into question Russian hacks. No, this isn't valid. We experts in the industry criticized "malware techniques" as flimsy attribution, long before the Sony attack, and long before the DNC hacks. All the CIA leaks do is prove we were right. On the other hand, the DNC hack attribution is based on more than just this, so nothing in the CIA leaks calls into question that attribution.

2 comments:

Carter said...

If you don't mind me asking, given your position back in December vis-a-vis the question of Russian involvement in the DNC/Podesta hacks (http://blog.erratasec.com/2016/12/from-putin-with-love-novel-by-new-york.html#.WMIDMTsrLIU), is your position that there is strong evidence that the Russian government did it or is it that there is strong evidence that hackers in Russia did it? Given that the main point of contention over all this is whether this was an operation of the Russian government, that seems to be an important distinction.

WaltFrench said...

Evidence is important. But the old saw is “means, motive and opportunity.”

So the CIA might ALSO use RawDisk (means), what motive would they have for busting apart Sony's business?