top of page
  • Mike McCormick

False Flags: Did Russia Frame Ukraine?

Thanks to news coverage of President Trump’s phone call with Ukrainian president Zelensky, Americans are learning about a conspiracy theory that Ukraine was behind attempts to hack the 2016 US election. This rumor persists despite US intelligence agencies near certainty that Russia was the culprit. There is evidence Russia even started these rumors, hoping to frame Ukraine.

A key element of the “Ukraine did it” theory is based on a rumor that cybersecurity firm CrowdStrike took possession of a DNC mail server containing Hillary Clinton’s missing emails, and stashed it in Ukraine. The rumor appears to stem partly from a misbelief that CrowdStrike is a Ukrainian firm (it’s American) or its cofounder is Ukrainian (he’s Russian). It’s true the DNC hired CrowdStrike to investigate the 2016 hack, but the RNC uses CrowdStrike too.

These clashing narratives shine light on the murky world of cyber attribution, a branch of computer forensics that focuses on determining who was behind a hack or cyberattack. It’s an art not a science.

CrowdStrike performed computer forensics on DNC servers after the 2016 breach. Forensic analysts do not physically remove or take possession of computers they analyze. But they do make virtual copies of hard drives – called images – and store them at their labs for analysis. While it’s highly unlikely CrowdStrike physically removed a DNC mail server, it’s possible they imaged such a server and stored the image file in one of their forensics labs. Any such image is most likely to reside in California, not Ukraine.

The “Ukraine did it” narrative is not only at odds with the entire US intelligence community, but also with the meticulously researched Mueller Report, and even with US Senate Republicans, whose report on 2016 election interference squarely blamed Russia.

Still, it must be acknowledged that cyber attribution is extremely difficult. The forensic investigator enters a hall of mirrors where every clue can be a deception. False flag operations are increasingly common, where the true actor behind a cyberattack leaves fake clues to frame somebody else.

For example, when the Lazarus Group hacked a Taiwanese bank to transfer sixty million dollars to North Korean accounts, they left behind Hermes ransomware of Russian origin, modified to protect Russian or Ukrainian computers. The ransomware, planted as a distraction, wasn't actually used in the attack. Instead of framing Russia or Ukraine, North Koreans framed both!

Russia is adept at false flag operations. When they hacked the 2018 Olympics in Operation Olympic Destroyer, Russians left fake clues pointing to China and North Korea. Independent forensic experts and US intelligence agencies saw through the deception, all concluding Russia was the perpetrator. For example, researchers with Moscow-based Kaspersky Lab found malware that looked North Korean but was wrongly constructed, suggesting a bungled attempt to fake a North Korean attack. Following the trail of cyber breadcrumbs ultimately led them back to Moscow.

False flags are dangerous. In a nightmare scenario, the US could misattribute a cyberattack and launch a counterattack against the wrong country. A milder version of that scenario may be playing right now. If Russia planted false flags to frame Ukraine, President Trump may have mistakenly retaliated against Ukraine by withholding missiles for its fight with Russia. This would be a double win for Putin, who redirects blame for his 2016 misdeeds toward his enemy Ukraine, while also postponing delivery of kinetic weapons his enemy wants to use against him on the battlefield.

Attribution is never 100% certain. Forensic analysts can be deceived by false flags. But in the case of 2016 election tampering, the evidence overwhelmingly points to Russia. Many analysts and agencies reached this same conclusion. More importantly, it appears to be independently verifiable by intel of a non-forensic nature, such as Moscow phone intercepts.

False flag operations not only put us at risk of cyberwar against the wrong countries, they also undermine public trust in cyber attribution. Even when evidence against Russia is overwhelming, a tiny amount of uncertainty must remain, as it always does in computer forensics. This seed of uncertainty can grow into a monstrous tree of conspiracy theories that bear poison fruit.


Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.

bottom of page