So I guess if I were a non-Russian actor wanting to pin this on Russia I could just search for information that a Russian actor would look for to pin it on them? Equally applies if I wanted to pin this on China, Iran, and so forth? Isn’t this too simplistic or perhaps it just serves domestic political interests?
>The country’s analysts were reportedly also able to track the location of the hackers' offices down to a university building next Moscow’s Red Square.
When I lived in Moscow my location was often misidentified as next to Red Square on various sites that tried to guess my location by IP or whatever else they use. I hope the analysts didn't use same tools.
I would assume at the point they had CCTV camera feeds they would be able to confirm the precise building by having agents watch people go in/out and comparing clothes of people on the camera vs in real life. But who knows what actually happened.
One of many methods is to look at the code page used if it is a text document or something similar. I guess if you wanted to there is nothing stopping you from making a document look like it came from a foreign country based on the document encoding. Then you have a ton of other metadata on files now that would have to match. Not exactly impossible.
Or if I'm the US and want to use this hack for political gains, I would announce that certain information was targeted when in reality they just dumped everything. Why would you use the limited time you may have access to comb through data when you can just grab everything?
> “If I’m a threat actor in an environment, I’ve got a clear set of objectives. First, I want to get valuable intelligence on government decision-making. Sanctions policy makes a ton of sense,” Krebs said.
Sanctions policy is public, isn't it?
> The second thing is to learn how the target responds to attacks, or "counter-incident response," he said: "I want to know what they know about me so I can improve my tradecraft and avoid detection.”
Sounds like the quoted interviewee is looking in a mirror.
Curious, has any data come out about how hackers were initially able to breach SolarWinds build systems? The company kept trying to call this "an incredibly sophisticated attacker", and, to be sure, the payload definitely was, but despite following this pretty intensely I never saw more info about how the breach occurred in the first place.
