The attribution of cyber attacks is hard. It requires collecting diverse intelligence, analyzing it and deciding who is responsible. Rarely does the evidence available to researchers reach a level of proof that would be acceptable in a court of law.
Nevertheless, the private sector rises to the challenge to attempt to associate cyber attacks to threat actors using the intelligence available to them. This intelligence takes the form of open-source intelligence (OSINT), or analysis of the technical intelligence (TECHINT), possibly derived from proprietary data. Indicators in these sources tend to point toward a threat actor if they have used the same methods in the past, or reused infrastructure from previous attacks.
Intelligence agencies have additional sources of intelligence available to them that are not available to the public sector. The public saw a glimpse into this with a report that the Dutch agency AIVD compromised a security camera in the building used by APT29, an infamous threat actor. This allowed the Dutch Intelligence Agencies to provide vital intelligence regarding the activities of APT29 to their allies. Such intelligence is beyond the reach of private-sector researchers.
Intelligence agencies tend to be reserved, and publish relatively few articles that include attribution, at least in comparison to the private sector. Hence, when an intelligence agency, like the UK’s National Cyber Security Centre (NCSC) directly attributed the WellMess malware to APT29 in a report endorsed by Canada’s Communications Security Establishment (CSE), the U.S.’s National Security Agency (NSA) and Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA), you can expect that these agencies have solid evidence to back their claims.
Given this, it is interesting to examine the evidence available to us as a threat intelligence and security research group to support these conclusions. Attribution is typically not our goal. We aim to protect customers against threats, raise awareness of current threats, and support the security community. We recognize that we don’t have the depth of visibility of an intelligence or law enforcement agency, but we do have access to a wealth of information, including open-source intelligence that helps us achieve our goals.