While Symantec and other cybersecurity firms had spotted Turla's piggybacking earlier this year, the US and UK intelligence agencies have now outlined the operation's sheer scale. The Russian team spied on victims in 35 countries, all of whom might have believed on first inspection that the intruders were instead Iranian. "We want to send a clear message that even when cyber actors seek to mask their identity, our capabilities will ultimately identify them," according to the statement from Paul Chichester, the NCSC’s director of operations.But while Turla was ultimately unmasked, the operation adds a new dimension of uncertainty for digital investigators. More broadly, it shows the fast-evolving nature of how hackers hide behind false flags. Just a few years ago they were wearing clumsy masks; now they can practically wear another group's identity as a second skin. And while other countries have dabbled in the practice—North Korea famously hacked Sony Pictures under the moniker "Guardians of Peace"—no one has pushed that progress more than the Russians.
"Their aggressive cyberactivity sits on a foundation of substantial experience in active measures," says John Hultquist, director of intelligence analysis at threat intelligence firm FireEye. "There's no question that they’re at the bleeding edge of the problem."
Hactivist ImpersonatorsStarting as early as 2014, Russian hackers have chosen from a proverbial grab bag of disguises to create a layer of confusion. In May of that year, for instance, a group calling itself Cyber Berkut hacked Ukraine's Central Election Commission in the midst of the country's post-revolution election. "Berkut" is Ukrainian for "eagle," and also the name of a police force that supported the pro-Russian regime in the revolution and killed more than 100 protestors. The Cyber Berkut hackers posted a political message to the commission's website under the guise of activists accusing the Ukrainian government of corruption. They later planted an image on the commission's web server that showed fake voting results on election day, putting the ultra-far-right candidate Dmytro Yarosh in the lead.
Though the commission managed to discover and delete the image before the voting results were released, Russian media ran with the fake tally nonetheless, hinting at collaboration between the hackers, Russian TV networks, and the Kremlin. Cyber Berkut was later revealed to be a front for the Russian military intelligence hacker group known as APT28 or Fancy Bear .Over the following years, the GRU would repeat those false flag "hacktivist" attacks again and again. Hackers calling themselves Cyber Caliphate hit the French television station TV5Monde in 2015, destroying the station's computers and posting a jihadi message on its website. The misdirection lead to immediate speculation that ISIS had perpetrated the attack, before the French intelligence agency ANSSI pinned it on the GRU. And in 2016, security firm CrowdStrike identified the GRU as the spy agency behind US-targeted false flag operation, this time the hacking of the Democratic National Committee and later Hillary Clinton's presidential campaign. The Fancy Bear hackers responsible had hidden behind fronts like a Romanian hacktivist named Guccifer 2.0, and a whistle-blowing site called DCLeaks that distributed the stolen documents .