Attribution is not from tracing connections or domain ownership, it's from looking at the coding style, the "Tactics, Techniques and Procedures" and the choice of targets.
It's a complex combination of all of those things, in addition to more "offensive" type intelligence collection (spying on GRU/SVR buildings, communications, and officers, essentially, and compromising their infrastructure).
You might be surprised about how even the world's top intelligence agencies sometimes do make simple mistakes with domain and network registration which really are just genuine fuckups rather than false flag subterfuge. This is very rarely a matter of something silly like "Russian IP = Russian intelligence" and more like sloppily re-using an ostensibly non-attributable network or nameserver they didn't realize was already burned.
We're still kind of in the infancy of cyberwarfare. Attribution will probably be harder in a few decades.
But, yes, it's generally a matter of TTPs, target selection, goal analysis, and style.
You can see it in Bellingcat's investigations - carelessly reusing burners, calling from GRU offices, reusing passports, calling from two burners one immediately following the other.
Yep, all enabled by the fact that Russia is so corrupt, anyone can pretty easily buy any data about anything on anyone. So any private citizen with a bit of money and some skills can effectively act like a para-intelligence agency, which is essentially what Bellingcat is.
For anyone curious, they have two excellent articles on this from a few days ago:
There was also an amazing investigation into this published yesterday by a Russian outlet, interviewing some of the black market data brokers and law enforcement officers (both of whom claim some of the brokers will be hunted and killed by the state, now):
That's just fancy technical terms to justify the propaganda. If these kinds of "hard proof" which definitively link hacks to nation state actors exist, why are they never publically revealed?
Might still be backed by old fashioned humint - maybe an asset in Russia told someone. If so, that might be trustworthy, but also needed to be kept secret. If I needed to publicize and justify such information, I might try to claim that "the coding of the exploit was consistent with Russian trade craft" or something like that...
You might be surprised about how even the world's top intelligence agencies sometimes do make simple mistakes with domain and network registration which really are just genuine fuckups rather than false flag subterfuge. This is very rarely a matter of something silly like "Russian IP = Russian intelligence" and more like sloppily re-using an ostensibly non-attributable network or nameserver they didn't realize was already burned.
We're still kind of in the infancy of cyberwarfare. Attribution will probably be harder in a few decades.
But, yes, it's generally a matter of TTPs, target selection, goal analysis, and style.