Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks

Wednesday 5 October 11:30 - 12:00, Green room

Juan Andrés Guerrero-Saade (Kaspersky Lab)
Brian Bartholomew (Kaspersky Lab)

In the last year, there has been much debate over the accuracy and usefulness of attribution with regards to APT actors. Investigators have had an increasingly difficult time finding reliable and agreed upon metrics for attributing attacks. To further complicate this issue, some APT groups have fragmented, leaving them with limited infrastructure to conduct targeted attacks (perhaps by design). At the same time, more seasoned APT groups have been following publicly available research on the topic and using this information to introduce false flags into their TTPs. Researchers have long theorized on this possibility, we would now like to provide a wealth of real-world examples of attempts at false flag operations from previously unpublished research. The hope is to advance more mature discussions about attribution, the technical limitations entailed, and introduce a more realistic set of expectations for the actionable value of identifying the teams or individuals behind targeted attacks.

The in-the-wild examples will substantiate previously hypothesized claims about attacker responsiveness to wide-publication research and the intentional tampering of relevant indicators. Many of these examples come from unpublished research and unwritten observations from the original researchers themselves. The ultimate goal is to introduce realistic directives for the consumers of threat intelligence to guide their expectations in relation to attribution so as to avoid the lure of sexy marketing and instead be able to leverage data useful for network defence in the commercial and government sectors.

Click here for more details about the conference.


Juan Andrés Guerrero-Saade

Juan Andrés joined GReAT in 2014 to focus on targeted attacks. Before joining Kaspersky, he worked as Senior Cybersecurity and National Security Advisor to the President of Ecuador.




Brian Bartholomew

Brian has 15 years of experience in cyber espionage operations, reverse engineering, penetration testing, and incident response.  Before joining GReAT, he worked at iSIGHT Partners, the US Department of State, and also spent three years in the United Arab Emirates.  



We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.