|
> estimating hacker provenance consists purely of modifiable and/or spoofable circumstantial evidence, including IP addresses, malware signature, and possibly timestamps/localizations within the binaries. There's more to it than that, and often attribution is the result of the "bigger picture" of multiple clues, rather than a single smoking gun. Group operations develop patterns over time that are much greater than just a timestamp somewhere. Also, identifying a 0-day exploit somewhere often allows you to discover previous deployments of the same exploit, which have their own blast radius of evidence, contributing to these patterns that are identified over time. >but surely a competent hacker could pull of a hack and trivially modify the evidence to implicate any nation/state who's modus operandi are known in hacking circles, no? >Deliberately engineering your attack to mimic one from another group is an excellent way to keep people off your trail... Yes, misdirection is the name of the game here, all bets are off and nothing is off limits. But covering your tracks leaves tracks of its own, and again, even when an attacker thinks all their bases are covered, they will never be sure there wasn't something somewhere they left behind that points back to them. > and these are hackers we're talking about, after all. Who do you think "hacker-hunters" are, if not hackers themselves? |