Highly Evasive Attacker Leverages SolarWinds Suppl...

[rixed]

Attribution is indeed always the part that make me doubt about entire security related articles. Each and every time I looked into how such attacks were attributed to this or that country the evidence, if not the reasonning, were severely lacking at best. There is too much at stake in those affairs that it is safer to assume that only fabricated stories and counter fires are told about it all.

[lawnchair_larry]

The part you’re missing is that they don’t tell you how they did the attribution, and there are good reasons for this. You’re assuming that you know what they know.

[rixed]

Speaking with confidence is not enough to be taken seriously on this topic saturated with marketing, politics and mythomaniacs. Especially when a quick Google search is enough to find plenty of such attributions:

> The IP address was linked to the GRU HQ itself. https://www.techradar.com/news/defending-against-nation-stat...

> one website that helped to coordinate them, StopGeorgia.ru, was hosted at an IP address that belonged to a company headquartered next to a GRU-connected military research institute https://www.wired.com/story/us-blames-russia-gru-sweeping-cy...

> Dragos researcher Joe Slowik noticed that one IP address identifying a server in Hungary used in that APT28 campaign matched an IP address listed in the CISA advisory https://www.wired.com/story/russias-fancy-bear-hack-us-feder...

> They used an Ip address that has been previously seen in other russian attributed attacks https://abcnews.go.com/WNT/video/ip-address-linked-russia-dn...

List would go on and on, and this is only for Russia. And yes I'm aware those sources are easily discarded as "non serious enough", as expected from the top results of a search engine I guess. Do your part and provide us with better sources.

[lawnchair_larry]

No, source IP address country is never the basis for attribution, and contrarian lay people always assume that’s how it works for some reason. It isn’t, at all.