U.S. officials and cybersecurity experts have been warning businesses to be on alert for Iranian cyberattacks ever since the U.S. killed Qassem Suleimani, a top Iranian general, in an airstrike earlier this month.
In one advisory, the Department of Homeland Security warned of Iranian hackers’ “willingness to push the boundaries of their activities” in cyberspace. In another, obtained by the cybersecurity news outlet CyberScoop, the Federal Bureau of Investigation said it noticed an uptick in “cyber reconnaissance activity“, the kind of computer network poking, prodding, and probing that can enable espionage and other potentially destructive attacks.
For businesses looking to stay out of the crossfire between the U.S. and Iran, the warnings are wise to heed. But they largely neglect to mention another troubling possibility: That hackers sponsored by other nation states could disguise themselves as Iranian intruders—or commandeer Iranian infrastructure—to mask their true identities, steal information, and disperse malware.
Attribution is hard
Sussing out the identities of hackers amid the digital mists can be a challenge. Some government agencies, like the National Security Agency, and certain private sector cybersecurity firms have demonstrated a credible ability to unmask attackers over the years. But the opportunity for ambiguity and mistaken identity lingers.
Given the high tensions with Iran, businesses will be predisposed to see Iranian fingerprints in the traces left by network intruders. But mistaking the origin of hacking attempts, breaches, and leaks, risks amplifying tensions between the U.S. and Iran.
The possibility of false flag operations “injects a lot of uncertainty” in the situation, says Priscilla Moriuchi, director of strategic threat development at Recorded Future, a threat intelligence firm. “There’s a lot of potential for mistaken escalation.”
Raising false flags
The prospect is more than theoretical. One country that has frequently favored false flag operations is Russia. In 2014, suspected Kremlin-backed hackers were believed to have disguised themselves as a hacker-activist group called CyberBerkut while targeting the North Atlantic Treaty Organization with “denial of service” attacks and the Ukrainian government with data leaks. A year later, suspected Russian hackers took a French TV network off the air and defaced its website, claiming to be a group that described itself as the “Cyber Caliphate.”
Russia’s ruses have continued. In 2018, agents of the Kremlin were believed to have temporarily taken down the Wi-Fi at the 2018 Winter Olympics in Pyeongchang, South Korea, and prevented staff from printing or scanning tickets, while pretending to be North Korea. A year later, suspected Russian hackers were said to have hijacked Iranian hacking infrastructure to conduct their own espionage campaigns, as the NSA and U.K.’s National Cyber Security Centre noted in a joint report at the time.
Russia is not the only country to plant false flags, even if it has been pegged as the most frequent offender. When Sony Pictures Entertainment was ransacked in 2014, the hackers, believed to have been backed by North Korea, called themselves the “Guardians of Peace,” ostensibly assuming the cover of some “hacktivist” crew. The United States and Israel, meanwhile, have never said they were behind the Stuxnet cyberattack which took down Iranian nuclear centrifuges a decade ago, though it’s widely believed they were responsible.
Removing the mask
In many cases, hacker groups engaging in false flag tactics, such as those outlined above, have every incentive to generate chaos and confusion about who has done what. Sowing doubts about the provenance of cyberattacks serves to bolster their counter narratives.
Despite this, it’s important to keep in mind alternative possibilities when investigating breaches and assigning blame. Adam Meyers, vice president of intelligence at CrowdStrike, a cybersecurity firm that gained notoriety for attributing data breaches at the Democratic National Committee to Russia in 2016, says that while spies backed by other countries could pose as Iranian hackers, he believes the attackers will ultimately have a very hard time keeping up the subterfuge.
“Attribution is a difficult problem,” Meyers acknowledges, but it is a tractable one, he says. The challenge “can be addressed by using rigorous analytic controls and tools and making sure to have checks and balances to account for bias and incorrect assessments.”
In the span of time between discovering a hacking attempt and piecing together a whodunnit, investigators should take pains to ensure they’ve got it right. Otherwise, misattributions could lead to dangerous intensifications of conflict between nation states.
“If the government is expecting Iranian intrusions, they’ve got to be certain they’re actually seeing Iranian state sponsored activity and not Russians masquerading as Iran,” Moriuchi says.
More must-read stories from Fortune:
—Greenpeace ranks China’s tech giants on renewable energy
—Sex tech steals the spotlight at CES
—Why there are so many scooters in Los Angeles
—What a $1,000 investment in 10 top stocks a decade ago would be worth today
—Best of CES 2020? Tech sites’ opinions differ wildly
Catch up with Data Sheet, Fortune’s daily digest on the business of tech.
