Something I don't understand is why people don't appreciate /expect misdirection.
For instance, a malicious actor, of even basic sophistication, coming from a Russian ip and occasionally using Cyrillic and missing grammatic artcles is probably not Russian. Similarly a malcious actor with a pseudonym including the term patriot, coming from a US IP and using terms like howdy probably is not American.
False attribution is a core lesson in malice 101.
There's a case to be made for expecting misdirection more often, but the fact remains that most people, including malicious actors, don't have the foresight and skill to pull it off. You do need both. Unless you plan a consistent fake story from the very start of an identity, execute it consistently, and hermetically isolate it from any others, you'll leave clues.
You need actual evidence to make claims like this and be believed. "Possibly not Russian/American" is self-evident due to how easy misdirection is, but "probably not Russian/American" is a matter of probability for which you've presented no meaningful data or argument.
Not that it's necessarily the case here, but you'd be surprised how many grand capers were only busted because the actor made an embarrassingly dumb mistake in leaving some obvious trail.
It's not unheard of to apply some occam's razor just in case while keeping misdirection in mind. Even masterminds aren't perfectly rational actors that cross all their t's.
Attribution is hard, and is a critical part of Threat Analysis.
I generally agree with the quip about American patriot actors, mostly.
If your company just got pwned, you'll probably be thankful to have an excuse to tell your investors that it was a Russian/etc "state actor" and therefore they should feel sympathy for you being the victim of a foe that far outclasses your assuredly reasonable and competent security measures.
Looks a lot better than getting pwned by some jackass American teenager. So if the attack came from a Russian IP, or used some Cyrillic characters or something like that, there's a "face saving" incentive to take that probable misdirection at face value.
This is right. So many incentives are stacked in favor of making false attributions, specifically to enemy state actors:
- real attacker doesn't want to get caught
- victim doesn't want to admit being pwned by a script kiddy or petty criminal
- military-industrial complex needs foreign threat inflation to stay in business
- media loves the intrigue
The pushback would come from the foreign state being falsely slandered, but they never get a say anyways.
> False attribution is a core lesson in malice 101
I was always surprised to see security researchers confidently attributing some attack to a specific group based on easily falsifiable things like localization, alphabet, time zone, coding "style", specific targets, etc.
Even if researchers can undeniably link one attack to a certain group (like when they publicly take responsibility) and can label their style accordingly, all those indicators become at least semi-public. If the researchers have access to them, so do other other actors who are free to fake or imitate them. The confidence is probably more for the media reporting.
Doubly so since warmongerers will defend your persona and corparations will use the persona as a politically palatable scapegoat.