Attributing the adversary behind a cyber attack ranks as perhaps the hardest challenge in all of cyber security, well beyond securing networks from intrusions, for the simple reason that bits are simply bits and do not belong to any single person. In other words, I can flawlessly copy any digital content including malware and other attack exploits and re-use it without leaving behind my personal fingerprints. Furthermore, I can leverage existing infrastructure or other people’s machines I’ve compromised to run my attacks from someone you might be inclined to blame for political reasons to exploit the confirmation bias people inherently have.
Nonetheless, many private firms and security researchers are quick to reach a conclusion on who is behind an attack based on code and infrastructure re-use, as well as the tactics, techniques, and protocols (TTPs) they have previously ascribed to bad actors with cute names. The methods typically would not pass a court of law’s evidentiary standards, but are good enough for Twitter.