They match up the activity they observe with tactics/techniques/procedures (TTPs, an awkward term but it's of old military origin) associated with various known state actor groups. These are widely published by various security firms, although the details are often kept in the industry and behind a paywall. You can find a lot of info just by googling the codenames firms assign to the groups, APT28 is one such group on my mind which has recently had some public reporting: https://www.fireeye.com/content/dam/fireeye-www/global/en/cu...
These TTPs may consist of known attack infrastructure, email payloads, even things as simple as an email subject line if the attacker leaves it fairly static. They may also be as complicated as artifacts of dynamic analysis of malware, software engineering techniques and tools, language use, etc.
Attribution to state actors comes via similar techniques, generally tying attacks back to infrastructure known to be owned by state agencies or companies operated by the same. The line between state actors and higher-end criminal groups can be very blurry, both in that attribution may be difficult and in that the groups actually overlap in many areas. But still, you can often make a pretty confident guess.
These attribution techniques are well-established in the security industry, and I'm not surprised to see these big providers starting to automate it where possible.
I want one of these companies to define state-sponsored actors?
It's great if one is a dissenter in Egypt and the authorities there go after their Yahoo! account but what about a US citizen's account being attacked by the FBI or NSA?
This passed along with the budget bill at the end of last week. It establishes a system whereby the US defense department shares with corporations their signals for detecting state-sponsored attacks, and companies are allowed to opt in to sharing anonymized attack information with the DoD
CISA is a terrible bill and not a solution to this problem. Security teams have been able to manage this data on their own for years without government intervention.
There have always been other methods for determining if an attacker is state sponsored. One example: Seeing your account, and a number of dissident or activists being attacked from a block of IPs or similar password attempts, probably means the attack is state sponsored.
That being said, in security, attribution is a very hard problem, and the methods used to determine state sponsored attacks are also quite hard to design.
There's a reason why companies won't elaborate on how they do this, but it is usually a combination of login/account intelligence and threat feeds.
>> Seeing your account, and a number of dissident or activists being attacked from a block of IPs or similar password attempts, probably means the attack is state sponsored.
Used to work at a fairly large global corporation. One day I was chatting up one of the senior sys admins. He was talking about the incredible traffic that bombards their server everyday. I was pretty naive back then and said, "Cmon man, it can't be that much!"
He opened his terminal and ran a simple monitoring tool, then opened one another terminal. In one was the constant traffic to several of their applications that were from a specific block of IP addresses he thought he had traced back to China. The other window was a running queue of mistyped password attempts. It was like clockwork. They'd try three, get kicked out of the system, then in an instant, you'd see a flurry of new IP addresses from the same block, then some more attempts to guess the password. Kicked out, rinse, repeat.
In the span of five minutes, I must have seen two dozen failed attempts to try and do a dictionary password attack on their login page. He guessed it was some kind of a bot that was running the tests considering how mechanical and orderly the attacks were.
It really opened my eyes as to how often and how many businesses these governments go after for intellectual property.
I have long suspected that the overwhelming majority of any "sharing" that takes place will be one-sided, from corporations to government.
In previous jobs, I've been involved with various ISACs and while there was some sharing of information from the government, it was often "watered down", vague, and mostly unactionable.
Also, what kinds of attacks are they trying to catch here? The bullet points in the article seem like phishing scams. Phone verification doesn't seem like it would do much since a sophisticated adversary has probably also compromised the phone network as well.
I would assume sophistication, intensity, and the fact that as long as it's not the NSA doing it they'll get tipped off that China, Russia, Insert-Evil-Country-Here is running a campaign against them.
These TTPs may consist of known attack infrastructure, email payloads, even things as simple as an email subject line if the attacker leaves it fairly static. They may also be as complicated as artifacts of dynamic analysis of malware, software engineering techniques and tools, language use, etc.
Attribution to state actors comes via similar techniques, generally tying attacks back to infrastructure known to be owned by state agencies or companies operated by the same. The line between state actors and higher-end criminal groups can be very blurry, both in that attribution may be difficult and in that the groups actually overlap in many areas. But still, you can often make a pretty confident guess.
These attribution techniques are well-established in the security industry, and I'm not surprised to see these big providers starting to automate it where possible.