|
|
|
|
|
|
by thworp
772 days ago
|
|
|
re. 1: Assuming the source of the attribution is acting with pure intentions, it is usually a preponderance of (mostly circumstantial) evidence. Does the malware and MO look similar to past known attacks? Did they leave any localized strings in the binary file, if yes does that nation have an interest in hacking the target? Does the malware use a stack of 0-days and labour-intensive obfuscation techniques (indicating a large amount of resources)? Does the whole picture make sense when you put it all together? The above is in an ideal world, in reality almost all attributions are political and based on almost nothing. Even if they were based on some other intelligence source, how could a random member of the public verify that? On top of the difficulty of gathering evidence, there is an incentive alignment between the heads of hacked organizations and intelligence agencies. The hacked company will look better as the victim of a "cyberattack" or a "chinese cyberattack" then as the victim of "random.ransomware.0238023". The intelligence agency can get more funding and PR by proclaiming the same. |
|
|