I think you’ll find TAG regularly gives assessment on attribution at least at the country level. Iran, China, Russia, Belarus and North Korea at least have been named in the last few years.
How do you know what country is actually behind any of this? I’d imagine that would be very difficult given nation states can host content anywhere in the world and will want to make it look like it’s coming from elsewhere.
Staring hard at a all the details and figuring it out?
The thing with trying to hide yourself is you have to do everything right to guarantee some false flag operation will work but if you make enough mistakes in this process there will be reasonably high-confidence links between some action and some person.
An example that I _have_ seen in some write up: some snippet of malware code showing up in a stack overflow question (with the shape and user variables being the same).
At one point it's like... probably that person. Of course maybe there are other indicators to the contrary but that's data for you. Gotta use your noggin a bit.
I don’t work in this field, but my impression has been that groups tend to share techniques and code patterns that can help tie them back to where they came from.
By connecting multiple details such as ip addresses, connection/flow logs, known CnC servers, etc. You seem to be expecting some magic simple answer but the reality is the same as other investigative work: doing the work in the details as a professional. Just because this work is difficult and inherently has some ambiguity doesn't mean you can just dismiss every attribution from your armchair.
Here’s a question I expect you’ll never answer: is it within the capabilities of any groups within the West (state-sponsored or otherwise) to fabricate the information you’re using to make those assessments? And if so, how have you decisively eliminated this possibility?
I ask because it’s broadly accepted that there are extremely powerful and wealthy entities in the West who benefit from an aggressive US foreign policy and heightened geopolitical tensions.
There are several sections of the Vault 7 leaks that showed the CIA had tools that could be used to fake the attribution of attacks. Some argue there's other uses for those tools besides faking the source of an exploit, but knowing they have the capability makes it impossible to eliminate as a possibility.
Probably, but even more simply they have the capabilities to just direct intelligence agencies, politicians, and news corporations, and big internet and social media companies to put the blame wherever they like. There is no need for a perfect technological solution.
Hack something shoddy together, go to war/regime change/etc, and worst case if it does come to light that the "intel" was wrong, a well-placed "whoopsie-daisy" is enough to wash hands of all responsibility or scrutiny.