
When fourth-party collection becomes attribution hell [pdf] - nkurz
https://cdn.securelist.com/files/2017/10/Guerrero-Saade-Raiu-VB2017.pdf
======
mfoy_
To put it in painfully simple terms, just because the "hacker's code" contains
Cyrillic, it doesn't mean Putin was behind it.

As a layman, "fourth-party collection" sounds a lot like "false flag" to me...
is there any key difference I'm missing?

~~~
Natsu
They discuss that both in the passive and active sense. I'd say that only the
active sense appears to be similar to a false flag operation. From the
article:

Fourth-party collection – As described previously, fourth-party collection
involves interception of a foreign intelligence service’s ‘computer network
exploitation’ (CNE) activity in a variety of possible configurations. Given
the nature of Agency-A as a cyber-capable SIGINT entity, two modes of fourth-
party collection are available to it: passive and active. The former will take
advantage of its existing visibility into data in transit either between hop
points in the adversary’s infrastructure or perhaps in transit from the victim
to the command-and-control servers themselves (whichever opportunity permits).
On the other hand, active means involve the leveraging of diverse CNE
capabilities to collect, replace, or disrupt the adversary’s campaign. Both
present challenges which we will explore in extensive detail further below.

