In the last year, there has been much debate over the accuracy and usefulness of attribution with regards to APT actors. Investigators have had an increasingly difficult time finding reliable and agreed upon metrics for attributing attacks. To further complicate this issue, some APT groups have fragmented, leaving them with limited infrastructure to conduct targeted attacks (perhaps by design). At the same time, more seasoned APT groups have been following publicly available research on the topic and using this information to introduce false flags into their TTPs. Researchers have long theorized on this possibility, we would now like to provide a wealth of real-world examples of attempts at false flag operations from previously unpublished research. The hope is to advance more mature discussions about attribution, the technical limitations entailed, and introduce a more realistic set of expectations for the actionable value of identifying the teams or individuals behind targeted attacks.
The in-the-wild examples will substantiate previously hypothesized claims about attacker responsiveness to wide-publication research and the intentional tampering of relevant indicators. Many of these examples come from unpublished research and unwritten observations from the original researchers themselves. The ultimate goal is to introduce realistic directives for the consumers of threat intelligence to guide their expectations in relation to attribution so as to avoid the lure of sexy marketing and instead be able to leverage data useful for network defence in the commercial and government sectors.