How do you know what country is actually behind any of this? I’d imagine that would be very difficult given nation states can host content anywhere in the world and will want to make it look like it’s coming from elsewhere.
Staring hard at a all the details and figuring it out?
The thing with trying to hide yourself is you have to do everything right to guarantee some false flag operation will work but if you make enough mistakes in this process there will be reasonably high-confidence links between some action and some person.
An example that I _have_ seen in some write up: some snippet of malware code showing up in a stack overflow question (with the shape and user variables being the same).
At one point it's like... probably that person. Of course maybe there are other indicators to the contrary but that's data for you. Gotta use your noggin a bit.
I don’t work in this field, but my impression has been that groups tend to share techniques and code patterns that can help tie them back to where they came from.
By connecting multiple details such as ip addresses, connection/flow logs, known CnC servers, etc. You seem to be expecting some magic simple answer but the reality is the same as other investigative work: doing the work in the details as a professional. Just because this work is difficult and inherently has some ambiguity doesn't mean you can just dismiss every attribution from your armchair.
The thing with trying to hide yourself is you have to do everything right to guarantee some false flag operation will work but if you make enough mistakes in this process there will be reasonably high-confidence links between some action and some person.
An example that I _have_ seen in some write up: some snippet of malware code showing up in a stack overflow question (with the shape and user variables being the same).
At one point it's like... probably that person. Of course maybe there are other indicators to the contrary but that's data for you. Gotta use your noggin a bit.