So you’ve performed the investigation and attribution is complete. Or is it? Attackers are becoming more advanced every day. And with that sophistication comes the desire to pin their attacks on others to cover their tracks. Earlier this year, the we observed the first kinetic response to an alleged cyberattack. But what if the attribution were wrong? That’s not as far-fetched as some might think. In the Olympic Destroyer attacks, it’s now clear that Russia tried to confuse analysts into believing it was North Korea. In this talk, someone who’s been on both sides of the keyboard will examine how attackers might conduct false flag attacks, case studies where it’s happened, and how you can avoid being duped into performing an inaccurate attribution.