It was not done by a bunch of amateurs that is for sure. Now everything points to Russia, but that is also the most obvious clues to leave as who would question it. However...we know the NSA wants to be in every system and this kind of operational security and evasion screams of the NSA to me.
How do we know this is Russians? To my knowledge its very common practice to obfusticate origins before launching a campaign like this by washing through several different countries.
You could leave stuff like comments or references that would suggest it was the Russians, there's just no way of knowing, so I follow the fundamentals of political sabotage: whoever benefits most is the culprit. Who has the most to lose and gain here?
The various Russian APTs have tooling they prefer to use and are attributable to them. This is generally fairly stable because these are professionals who spend years learning specific toolchains, programming, and skills, and do not really change it up much, since they don't have to. Even if they're attributed, what is the world going to do? Toss a bomb into Russia?
And before you get started, yes, security professionals are aware that you can obfuscate that, but there are already techniques to defeat this second layer of obfuscation.
If multiple sources are saying this was probably Russia, they probably have a decent bit of proof.
Hmm I hadn't considered that but how do you find out what tools were being used to produce the payload source code? How can you be certain? Could another adversary simply use the same tooling or perhaps it is shared to an allied nation (enemy of my enemy is a friend) to do its bidding.
> They highlight that not only malware samples and their specific properties (such as compiler settings, language settings, certain re-occurring patterns and the like) are useful, but also information available outside the actually attacked infrastructure, including data on the command & control infrastructure.
Yes you can obfuscate certain things, buts its hard to obfuscate EVERYTHING, and if you dig deep enough, you can make a decent effort finding the owner.
From reading the paper, it seems like it would be difficult for a private hacking group to manage but completely doable for someone like the NSA. They could outfit an entire team to work somewhere else for an extended period of time, making behavior profiles unreliable.
Why would the NSA bother with hacking American companies? The American security establishment is only one warrant or national security letter away from getting all the information they need from any of these companies.
Except the CIA and other actors have been known to impersonate the methods of other nation states, so attribution is never the smoking gun you're claiming it to be.
This is good in theory, until you yourself get owned by someone else, that now all of sudden knows exactly what you think is a tell-tale sign of some other actor.
From there on they can modify their payloads to look like they come from another toolchain.
