> What I mean is some technical explanation that it is Russia and how they arrived at the conclusion.
I have no specific knowledge, but essentially, most of the evidence is likely to be circumstantial, with chains of inferences from co-occurences of targets, tools, techniques, and other 'fingerprints', various bits of which may occasionally be confirmed or refuted by humint (which may or may not be reliable).
It is very unlikely that there is any single piece of info that definitively ties the attack to a particular actor (except maybe sigint), and with sufficient effort a false-flag operation can successfully lead to a mistaken conclusion, at least temporarily, but that's harder than it seems.
Any actor that tries to imitate the signature of a different actor by only using stuff from the other guy's bag of tricks is by definition only using tools that have been detected and are known; which means that countermeasures are likely to also be known and in use. Adding anything novel on top of that to increase the chances of the attack's success is incorporating a signal that WON'T be present in the chosen fall-guy's future efforts (unless previously undetected tools can be stolen from the fall-guy), which may (eventually) undermine the desired conclusion.
Figuring out whodunnit requires an essentially Bayesian approach, except the data is usually circumstantial, and priors - themselves always contingent on even earlier data - are of uncertain reliability and must when possible be tested against later assumed-reliable data from other channels for consistency (and when inconsistent, deciding whether new data trumps priors or vice-versa is a bitch).
Nevertheless, given how much data there typically is, it isn't too often that something comes along (like the discovery of a mole, which invalidates assumptions about what the opposition knows, and knows you know, etc.) to upend everything and break or reverse whole chains of inference.
So, while we might eventually find out some of the circumstantial evidence that lead to the attribution to a particular actor, we won't ever be told what other previous evidence (itself circumstantial) ties that evidence to that actor. Eg. "Toolchain X used in this attack is linked to Actor Y, but we can't tell you how we know they are linked. Sorry-not-sorry." ¯\_(ツ)_/¯
I have no specific knowledge, but essentially, most of the evidence is likely to be circumstantial, with chains of inferences from co-occurences of targets, tools, techniques, and other 'fingerprints', various bits of which may occasionally be confirmed or refuted by humint (which may or may not be reliable).
It is very unlikely that there is any single piece of info that definitively ties the attack to a particular actor (except maybe sigint), and with sufficient effort a false-flag operation can successfully lead to a mistaken conclusion, at least temporarily, but that's harder than it seems.
Any actor that tries to imitate the signature of a different actor by only using stuff from the other guy's bag of tricks is by definition only using tools that have been detected and are known; which means that countermeasures are likely to also be known and in use. Adding anything novel on top of that to increase the chances of the attack's success is incorporating a signal that WON'T be present in the chosen fall-guy's future efforts (unless previously undetected tools can be stolen from the fall-guy), which may (eventually) undermine the desired conclusion.
Figuring out whodunnit requires an essentially Bayesian approach, except the data is usually circumstantial, and priors - themselves always contingent on even earlier data - are of uncertain reliability and must when possible be tested against later assumed-reliable data from other channels for consistency (and when inconsistent, deciding whether new data trumps priors or vice-versa is a bitch).
Nevertheless, given how much data there typically is, it isn't too often that something comes along (like the discovery of a mole, which invalidates assumptions about what the opposition knows, and knows you know, etc.) to upend everything and break or reverse whole chains of inference.
So, while we might eventually find out some of the circumstantial evidence that lead to the attribution to a particular actor, we won't ever be told what other previous evidence (itself circumstantial) ties that evidence to that actor. Eg. "Toolchain X used in this attack is linked to Actor Y, but we can't tell you how we know they are linked. Sorry-not-sorry." ¯\_(ツ)_/¯