False flag operations are very rare because they're risky and the blowback effects are bad. Interestingly, the risks increase the more "important" you are so the most powerful countries are less likely to conduct FF ops. /1 #infosec #cybersecurity #ThreatIntel

Traditional covert and clandestine operations are cheaper, less risky, and more likely to succeed than false flag ops. Importantly, not all attempts to redirect blame is a false flag but just considered standard covert ops. /2

False flags are also generally misunderstood and confused. For example, using Russian as an English speaker in malware is, by itself, not a false flag but rather just considered good covert practice. It doesn't attempt to place blame but just conceal the operators better. /3

So, all false flags are covert ops but not all covert ops are false flags. As a #ThreatIntel analyst, if you're considering the FF hypothesis, beware because it's a complex path of analysis that isn't always apparent and requires much more data than one piece of analysis. /4

Remember Occam's Razor, the conclusion with the fewest assumptions is generally the best. False flags DO happen but also very regularly used as a "boogyman" in analyst conversations to mask a frustrating lack of data to test all of the hypotheses.