During an active incident, attribution details are not published. This incident still has people responding to it, and potentially further impacted victims. Indicators of compromise are published to allow for entities to hunt for malware or evidence of breach within their environments, but details that directly attribute a particular strain of malware to a threat actor are generally not shared (at least with the general public). Publishing those details could cause the threat actor to change those details and therefore evade detection and persist in impacted environments.
In this particular case, even though the known impacted entity count is around 250, around 18 thousand entities downloaded the backdoored version of SolarWinds and are at risk. Publishing attribution details now could negatively impact their response. When respected entities in the field make a claim on attribution, generally it is accepted as if those entities were lying, their service (and potentially some of their executives as they are publicly traded in some cases) would go to jail.
It's important to note that each responding team will have access to different data sources and be able to make different claims as a result. CrowdStrike declined to do attribution, whereas FireEye was more definitive with naming a group. This is likely as FireEye was impacted first hand and was able to capture indicators that are not public. (One of the steps of IR is containment, where you observe a threat actors activity to figure out where they are in your environment, so you literally get to watch them some.)
The people in charge of the various government agencies are politicians without experience in this area true, but they are briefed and educated by the experts that do have experience in that space. Likewise, Washington Post is known for vetting stories in this space carefully. At this stage in the game, it is highly unlikely it is not Russia, as this sales pitch is very similar to when Russian associated actors leaked the NSA toolset. It too was advertised for sale via bitcoin (https://en.wikipedia.org/wiki/The_Shadow_Brokers).
Anyways, if you're interested in this space, go find your local incident response (DFIR) meetup and ask how they track malware families. IP addresses are probably not one of their best signals for who made malware or executed an attack.
>At this stage in the game, it is highly unlikely it is not Russia, as this sales pitch is very similar to when Russian associated actors leaked the NSA toolset. It too was advertised for sale via bitcoin (https://en.wikipedia.org/wiki/The_Shadow_Brokers).
Great post overall, but I disagree here. It's indeed very likely Russian intelligence did the compromise, but it's still unclear if this particular "leaks for sale" offer is legitimate or just a random unrelated troll trying to make quick money before they get outed as fake. It does sound similar to the Shadow Brokers offer, but that could easily be emulated (and probably would be emulated if a scammer was trying to sound like Russia).
It could be legitimate, but I would be highly skeptical unless/until they release some samples of what they have. The Shadow Brokers started out not providing anything but later started leaking things to prove they weren't lying.
So I'd say this is worth keeping an eye on, but shouldn't be taken very seriously until they post at least some shred of evidence supporting their claims.
>when Russian associated actors leaked the NSA toolset
Has anyone actually attributed TSB to Russian actors? I don’t think so.
The US government certainly hasn’t made such claim, to my knowledge the mainstream press hasn’t made such a claim and neither have any of the companies you’d usually trust to make such assessments.
During an active incident, attribution details are not published. This incident still has people responding to it, and potentially further impacted victims. Indicators of compromise are published to allow for entities to hunt for malware or evidence of breach within their environments, but details that directly attribute a particular strain of malware to a threat actor are generally not shared (at least with the general public). Publishing those details could cause the threat actor to change those details and therefore evade detection and persist in impacted environments.
Let's take the Google breach of 2009, known as Operation Aurora as an example (https://en.wikipedia.org/wiki/Operation_Aurora). China was claimed to be the culprit at the time, but it was not until three years later that Fireeye / Mandiant finally published the details that were used to track and identify the threat actor as part of their APT1 report (https://www.fireeye.com/blog/threat-research/2013/02/mandian...).
In this particular case, even though the known impacted entity count is around 250, around 18 thousand entities downloaded the backdoored version of SolarWinds and are at risk. Publishing attribution details now could negatively impact their response. When respected entities in the field make a claim on attribution, generally it is accepted as if those entities were lying, their service (and potentially some of their executives as they are publicly traded in some cases) would go to jail.
It's important to note that each responding team will have access to different data sources and be able to make different claims as a result. CrowdStrike declined to do attribution, whereas FireEye was more definitive with naming a group. This is likely as FireEye was impacted first hand and was able to capture indicators that are not public. (One of the steps of IR is containment, where you observe a threat actors activity to figure out where they are in your environment, so you literally get to watch them some.)
The people in charge of the various government agencies are politicians without experience in this area true, but they are briefed and educated by the experts that do have experience in that space. Likewise, Washington Post is known for vetting stories in this space carefully. At this stage in the game, it is highly unlikely it is not Russia, as this sales pitch is very similar to when Russian associated actors leaked the NSA toolset. It too was advertised for sale via bitcoin (https://en.wikipedia.org/wiki/The_Shadow_Brokers).
Anyways, if you're interested in this space, go find your local incident response (DFIR) meetup and ask how they track malware families. IP addresses are probably not one of their best signals for who made malware or executed an attack.