Date: 1 November 2021

Ctrl+F: Searching for the Perpetrator

The Internet plays a significant role on the geopolitical board. The intelligence services of conflicting countries carry out cyber espionage operations and precisely targeted disinformation attacks. Hackers paid by governments gain access to the systems of their enemies, and sometimes even their allies, in order to get political advantage.


In the past, in terms of espionage, diversionary, or even disinformation operations, finding the perpetrator usually equated to identifying the party responsible for such actions. Today, in the era of digital and remote cyberattacks, this is not an easy task. Attribution, or the assignment of responsibility, especially in the case of interstate relations, is a highly sensitive topic. In the context of decentralized aggressors, VPNs, Tor networks, botnets, anonymization techniques, alliances, cyber mercenaries, and false flag operations, the attribution of a remote attack with 100% certainty is, technically, incredibly difficult, yet still possible.

The attribution process, which is decidedly technical, also includes political and economic aspects. The technical part focuses on the direct evidences of cyberattacks, known as digital footprints, which include connection sources, logs, a review of the malicious code used during the attack, and much more. Analysts meticulously examine the code and software modules used in the attack. They look for known signatures and potential traces left by the authors. Network activity logs from the time of the incident, language artifacts of the software, emails, or other components used during the attack are also checked. Moreover, experts examine the security vulnerabilities used by the malware and how it entered the victim’s system. Additionally, they attempt to find out what the intruder was looking for and what was the purpose of the attack. The latter often requires economic and even geopolitical analysis. The less technical part of the analysts’ work can be compared to that of criminal investigators who use the MMO method in their search for suspects.

The MMO method is based on identifying who had the means, motive, and opportunity to commit a crime. This makes it possible to narrow down the list of suspects and sometimes even readily identify who committed the crime. In the case of cyberattacks, particularly the geopolitically inspired ones, the question concerning the attribution changes from “who did it?” to “who is to blame?” Correct attribution helps to begin the process of seeking compensation or criminal prosecution that will bring the guilty to justice, should the legislature of the attacked country be powerful enough. Attribution is highly important also in terms of defense. Assigning responsibility for an international cyberattack to specific individuals, and more importantly – identifying its ordering party, has great deterrence potential.

In recent years, we could observe that the US and its international partners were correctly identifying the perpetrators of a series of cyberattacks. In Poland, the intelligence services responsible for analyzing the recent cases of compromised emails of politicians and the attack on the website of the War Studies Academy have also identified those responsible. The most spectacular example illustrating the complex work and the use of advanced attribution techniques was the identification of those responsible for attacks on critical infrastructure, including the systems of the Westinghouse Electric Company and the US Steel Corporation, by US federal government agencies. As a result of the investigation, five soldiers from the China’s People’s Liberation Army, Unit 61398, were charged with hacking.

The first attribution is not always accurate. In 2019 and 2020, hackers broke into the computers of the Israeli government and technology companies. The initially gathered evidence pointed directly to Iran, Israel’s biggest political enemy. The cybercriminals used tools typically used by Iranian hackers. Language artifacts evidencing that the authors of the attack used Farsi were also found.

Hackers have successfully attacked the Israeli government as well as technology and telecommunications companies. What is more, they have successfully concealed their identities, leaving behind traces that mislead analysts. A recent report by FireEye, a company which yet again reviewed the data from the hacks on Israeli entities in cooperation with Israeli military agencies, have identified a new culprit. The analysis found that at the time the UNC215 group, linked to the Chinese government, used identical techniques, particularly ones making attribution difficult. Currently, the analysts of the FireEye do not have sufficient information to accurately classify the group or directly identify its members. Instead, they are certain that the UNC215 group is linked to the Chinese government and is active in the region. In line with the above, Iran was not responsible for the 2019 and 2020 attacks.

In cybersecurity, requiring a proof beyond a reasonable doubt should be mandatory. Of course, it is not always possible to gather sufficient evidence or achieve complete certainty of its authenticity. An additional problem is also the political interest of states, as a result of which the conflicted countries are eager to attribute responsibility for cyber incidents to each other.

Author: Wiktor Sędkowski

Wiktor Sędkowski graduated in Teleinformatics at the Wrocław University of Science and Technology, specialized in cybersecurity field. He is an expert on cyber threats. CISSP, OSCP and MCTS certificates holder. Worked as an engineer and solution architect for leading IT companies.

Support Us

If content prepared by Warsaw Institute team is useful for you, please support our actions. Donations from private persons are necessary for the continuation of our mission.


All texts published by the Warsaw Institute Foundation may be disseminated on the condition that their origin is credited. Images may not be used without permission.

Related posts