Dark Reading discusses how nation state cyber attacks appeared to have adopted the Russian “Maskirovka” military doctrine:
Positively identifying the actual threat group behind a cyberattack as well as its true intentions is getting harder than ever as nation-state hacker groups out of North Korea and Russia, for example, in 2017 employed tactics typically used by their cybercriminal counterparts, and vice versa. In May of last year, North Korea’s massive ransomware campaign WannaCry at first appeared to be the handiwork of traditional financially motivated hackers, while Russia’s data-destruction attack via NotPetya initially presented itself as a pure ransomware attack.
The cloak-and-dagger feature of NotPetya, for example, reflects a Russian military doctrine called “maskirovka,” which is all about deceiving and confusing the victim, while also hiding the actual intent of the operation, according to CrowdStrike. “Although NotPetya was eventually revealed to be a wiper, the veneer of ransomware delayed this initial assessment,” the security firm wrote in its new Global Threat Report published this week, which analyzes findings and trends from its incident response investigations and data from its cloud-based Falcon endpoint detection system in 2017.
The destructive NotPetya attack was a data-wiping campaign against Ukraine that also hit companies in the US (Merck and Federal Express), Russia’s top oil company Rosneft, Danish shipping giant A.P. Moller-Maersk, Russian metals manufacturer Evraz, as well as Ukraine’s Boryspyl Airport. In rare public attack-attribution statements, the US, UK, Canada, New Zealand and Australia, this month all pointed the finger at Russia as the culprit.
In the context of military operations, cyber space is still relatively new when compared to the traditional domains of land, sea, and air. As a result of this immaturity, it is only natural for nations to iterate and their strategy to evolve. What we saw ten years ago is not what we are seeing today, and will not what we see in ten years from now.
The Russian “Maskirovka” doctrine is actually far easier to pull off in a cyber attack than it is in a kinetic one. It should come as no surprise to see nation states attempting to deceive forensic attempts to attribute an attack to a specific actor.
Alternatively, the idea behind “Maskirovka” is the basis for conducting a false flag operation. This is basically a malicious actor framing a different group for an attack, to thwart attempts to be discovered while deceiving and confusing the intended target(s). Once again, cyber attacks make it exponentially easier to successfully pull off a false flag because of the nature of how these attacks are executed.