It's very reasonable and necessary to be skeptical when no evidence is presented, but I think the tenor and nature of the skepticism and critique should go beyond what essentially seems to reduce to "oh yeah well what if they were framed why even bother naming anyone".
It may very well may not be North Korea, but you at least have to grant them some degree of charity in the sense that they're confidently putting their neck out there and saying "we really think the North Korean government is behind this". If they didn't have high confidence in the claim, they wouldn't have clearly attributed it to them like they did.
As you retorted, the default response in these situations would indeed be to say "a sophisticated entity" or "a sophisticated, possibly government-sponsored entity". Often even if you're pretty sure you know who it is.
Laying it all out on the field like they did probably suggests months and hundreds/thousands of man-hours of deep investigation to be sure they really got it right. They have some of the best security people in the world and rely on people taking their company and security teams seriously, so when they make such a claim, they know it carries a lot of weight and liability.
As others have mentioned, publicly presenting APT attribution evidence is often a double-edged sword for these sorts of things. Especially when you're Google and have a dual role of both threat research and directly protecting a lot of systems and customers against the threats you're researching. The more you tip your hand, the harder both jobs become, and you lose some of the mutual benefit you get from having both kinds of insight.
Also, circumstantially, the North Korean government has shown a pattern of things like this for decades. Even if you hypothetically assumed 90% of the North Korean attributions by private industry and intelligence agencies are wrong (very doubtful IMO; but just for the sake of argument), the remaining 10% would still make this newly reported attack unsurprising for them. That of course certainly doesn't mean people should default to blaming them whenever they're accused, but it means the prior probability for these sorts of attacks isn't low, so it wouldn't be shocking if it is true.
And, finally, just on how such attributions are done in the first place: at least as of 2021, it's often not as hard as you might think. The interesting thing about attribution is it flips the infamous "attacker's edge" around.
Attackers have a huge advantage when targeting a system/organization in that defenders have to win every time, but attackers often only have to win once to start infiltrating and pivoting. Conversely, covert attackers trying to evade or misdirect attribution need to successfully cover all of their tracks, but forensic investigators often only need to discover one mistake to start pulling on threads and pivoting. And, and in both cases, the bigger and more complex the surface area, the more likely at least one opening will be found.
> The interesting thing about attribution is it flips the infamous "attacker's edge" around.
Q: Do we think that anyone in North Korea, never mind anyone in power in North Korea, cares whether some group in the West "attributes" another alleged hack to them?
> forensic investigators often only need to discover one mistake to start pulling on threads and pivoting
Would that be the forensic investigators who can't actually disclose their evidence of the "mistake" because it might help the adversary?
>Q: Do we think that anyone in North Korea, never mind anyone in power in North Korea, cares whether some group in the West "attributes" another alleged hack to them?
Possibly. It's true that they may just not care at all. But it's difficult to know how they work and think internally.
>Would that be the forensic investigators who can't actually disclose their evidence of the "mistake" because it might help the adversary?
It would be the investigation/research team and whoever's leading them who would be making that decision. But, basically, yes.
It may very well may not be North Korea, but you at least have to grant them some degree of charity in the sense that they're confidently putting their neck out there and saying "we really think the North Korean government is behind this". If they didn't have high confidence in the claim, they wouldn't have clearly attributed it to them like they did.
As you retorted, the default response in these situations would indeed be to say "a sophisticated entity" or "a sophisticated, possibly government-sponsored entity". Often even if you're pretty sure you know who it is.
Laying it all out on the field like they did probably suggests months and hundreds/thousands of man-hours of deep investigation to be sure they really got it right. They have some of the best security people in the world and rely on people taking their company and security teams seriously, so when they make such a claim, they know it carries a lot of weight and liability.
As others have mentioned, publicly presenting APT attribution evidence is often a double-edged sword for these sorts of things. Especially when you're Google and have a dual role of both threat research and directly protecting a lot of systems and customers against the threats you're researching. The more you tip your hand, the harder both jobs become, and you lose some of the mutual benefit you get from having both kinds of insight.
Also, circumstantially, the North Korean government has shown a pattern of things like this for decades. Even if you hypothetically assumed 90% of the North Korean attributions by private industry and intelligence agencies are wrong (very doubtful IMO; but just for the sake of argument), the remaining 10% would still make this newly reported attack unsurprising for them. That of course certainly doesn't mean people should default to blaming them whenever they're accused, but it means the prior probability for these sorts of attacks isn't low, so it wouldn't be shocking if it is true.
And, finally, just on how such attributions are done in the first place: at least as of 2021, it's often not as hard as you might think. The interesting thing about attribution is it flips the infamous "attacker's edge" around.
Attackers have a huge advantage when targeting a system/organization in that defenders have to win every time, but attackers often only have to win once to start infiltrating and pivoting. Conversely, covert attackers trying to evade or misdirect attribution need to successfully cover all of their tracks, but forensic investigators often only need to discover one mistake to start pulling on threads and pivoting. And, and in both cases, the bigger and more complex the surface area, the more likely at least one opening will be found.