Re: "Or do all Russia-based hackers sit in the pocket of Kremlin?"
"'Fingerprints' is very vague and hand-wavery. An example or two would go a long way..."
Examples of how attribution is done include things like these:
1. Does the code look like stuff you've seen before? At a basic level, is there an exploit that someone has used before but few others know about? If so, it's more likely to be them. At a more detailed level, drill down into the assembly and look at modules. Stuff gets reused or updated. Even a pattern of names may be illustrative. There is usually not a need to go to sufficient effort to change your entire coding style to frame someone else. If you've developed a great file spider that can quickly identify stuff of interest for exfiltration, you might decide to put it into multiple malware distributions rather than rewriting it from scratch; if your obfuscation isn't good enough, that may link them both. Attribute one to you, and the other connects too.
2. How did the code get onto the victim's systems? Was an exploit used? How about a botnet? Who do we know who has done that before? If we have a location of the source, what do we know about it? Who purchased the server? Do we have any information from historical network scans? Sometimes people are careless and information they didn't think about ends up coming back to name them. For example, people who set up fake servers sometimes forget that, even though they change the information later, the provider has the ability to recall the information they put in originally. The original silk road Tor drugs market was partially taken down due to its founder putting his real name in a related account.
3. Once it was there, how was it controlled? Do we have logs showing a human acting? Maybe it crashed and restarted from a manual command. What do we know about the location of control? For example, some government-backed APT groups operate on local business hours. While it's not impossible for someone else to only work 9:00-17:00 Moscow time and take off Russian holidays, there's little reason for them to disrupt their schedule. When you notice that it happens, chances are you've at least located the attacker's time zone and that it might be an organization doing it.
4. Who has used the malware for benefit? Not necessarily always available, but have they extracted data and used it somewhere we know about? for example, if you were attributing an attack on a website to a group, finding the database's contents for sale at least gives you two targets to investigate, the attacker and the seller. They might be the same, but even if they're not, they probably know each other.
5. The old-fashioned return the favor--someone knows what APT29 is up to, and I'm sure the NSA would like to hear about it. We don't know how hard the NSA has tried to gain access to various places where such information is available, but they must have tried and probably have access to some of it. This isn't available to everybody, but in a government hack, there will be a lot of government investigation of what happened.
Biting the hand that feeds IT
