Attribution in Cyber Investigations

Attribution is not a single act but a progression through levels of evidence, each adding analytical weight and each carrying its own risks of error. Practitioners sometimes describe this progression as an attribution ladder. The lowest rungs provide abundant but easily faked evidence; the highest rungs are hardest to fabricate but also hardest to reach.

In practice, most investigations reach the malware or TTP level before resource or access constraints stop further progress. Reaching actor identity typically requires a combination of technical work and non-technical intelligence, such as signals intelligence, human sources, or cooperation between law enforcement agencies across jurisdictions. Private threat intelligence firms generally stop at the cluster level and express actor identity only when a government has made a formal public attribution.

Technical attribution relies on artefacts recovered from compromised systems, network traffic captures, and threat intelligence feeds. Each indicator type has a different half-life and a different resistance to fabrication.

Malware analysis is central. A malware sample may carry compile-time metadata: the build path embedded in the binary, the compiler version used, the time zone and locale settings of the development machine, and the language of string literals. The 2017 analysis of the WannaCry ransomware found Korean-language artefacts in the code and shared code modules with tools previously attributed to the Lazarus Group, contributing to a medium-to-high confidence attribution to North Korea. Shared code does not prove shared authorship (code can be reused without permission), but it shifts the probability distribution.

Infrastructure analysis uses passive DNS data, SSL certificate histories, hosting ASN patterns, and domain registration timing to identify clusters of infrastructure that appear to have been built and managed by the same operator. Attackers who reuse hosting providers, registrars, or payment methods across campaigns create a traceable infrastructure fingerprint. The 2016 analysis linking the Democratic National Committee breach to APT28 relied heavily on shared command-and-control infrastructure between the DNC campaign and previously attributed APT28 operations.

Behavioural indicators (TTPs) are the hardest to change and therefore the most reliable over time. An actor who consistently uses spear-phishing as an initial access vector, pivots to specific lateral movement tools, and exfiltrates data at predictable times leaves a pattern that persists even when they replace their malware entirely. The MITRE ATT&CK framework provides a structured vocabulary for recording and comparing TTPs across incidents, making cross-incident comparison tractable.

Intelligence agencies and threat intelligence firms use explicit confidence levels to communicate how strongly their evidence supports an attribution conclusion. The absence of a confidence label on an attribution claim is itself a red flag: it implies certainty that no analytical process can actually deliver. The standard three-tier model maps directly to the quality and quantity of corroborating evidence.

• Low confidence: Some indicators exist but they are sparse, single-sourced, easily spoofed, or contradicted by other evidence. An IP address in a particular country, with no corroborating malware or TTP evidence, is a low-confidence indicator.
• Medium confidence: Multiple corroborating technical indicators point to a specific actor or cluster, and the targeting and timing are consistent with the actor's known behaviour. Alternative explanations remain plausible, for example a false flag is possible but would require significant effort by a sophisticated adversary.
• High confidence: Multiple independent technical and contextual evidence streams all point to the same actor with no credible alternative explanation. High confidence does not mean certainty: it means that the probability of an alternative explanation has been reduced to a level that supports action.

The US intelligence community uses the same three-tier model (low, moderate, high) and requires analysts to state confidence levels explicitly in finished intelligence products. The UK National Cyber Security Centre and the Five Eyes alliance have adopted comparable conventions. India's National Critical Information Infrastructure Protection Centre (NCIIPC) and CERT-In have not published a formal confidence-level doctrine as of 2025, but investigators preparing reports for judicial or policy use should adopt the three-tier model as a matter of analytical discipline regardless of whether it is formally mandated.

A false flag is the deliberate planting of indicators designed to make an attack appear to originate from a different actor. It is not a theoretical concern: documented cases include the Fancy Bear-linked Olympic Destroyer malware deployed during the 2018 Pyeongchang Winter Olympics opening ceremony. The malware contained code modules, account credentials, and infrastructure artefacts that initially pointed to multiple different nation-state groups, leading to contradictory early attributions from different security firms.

Common false-flag techniques include: reusing another group's known malware or malware modules; inserting keyboard locale settings or language strings associated with a different country; routing attack traffic through infrastructure historically associated with a different threat actor; and deliberately leaving artefacts (script comments, error messages) in the language of the intended scapegoat. More sophisticated operators may even mimic another group's operational timing patterns.

Testing for false flags requires examining the coherence of the indicators as a whole. Ask whether the indicators that point to Actor X are consistent with each other, or whether some of them seem deliberately placed and inconsistent with how Actor X normally operates. Indicators that are too obvious, that appear in exactly the locations a forensic examiner would expect to find them, or that are inconsistent with the technical sophistication shown elsewhere in the attack, should be treated with scepticism. Cross-referencing indicators against a long-term profile of the suspected actor's real behaviour is the strongest counter to deliberate misdirection.

Attribution is not a purely technical exercise. The conclusions an investigator reaches, and the confidence level attached to them, carry legal and geopolitical weight that can determine criminal prosecutions, sanctions regimes, and diplomatic responses.

In India, formal attribution of a cybercrime to an identified person or organisation supports prosecution under the Information Technology Act 2000 (as amended), with electronic records and forensic reports governed by the Bharatiya Sakshya Adhiniyam 2023 (which replaced the Indian Evidence Act 1872). Cybercrime investigations crossing state lines involve the Bharatiya Nagarik Suraksha Sanhita 2023, which replaced the CrPC. Where personal data of Indian nationals is involved, the Digital Personal Data Protection Act 2023 may also be relevant. Investigative agencies including CBI, CERT-In, and state Cyber Crime cells produce attribution reports that feed into charge sheets and court proceedings.

Internationally, the consequences are more varied. In the United States, the Computer Fraud and Abuse Act (CFAA) and the Economic Espionage Act have been used to support grand jury indictments of foreign nationals, as in the 2018 GRU indictments and the 2014 PLA indictments. The UK uses the Computer Misuse Act 1990 and the National Cyber Security Centre issues attributions as government policy statements. The EU can impose sanctions under its Cyber Diplomacy Toolbox, which it has used against Russian and Chinese state actors. Attribution that rises to the level of a state-sponsored attack can engage the UN Charter Article 51 right of self-defence under certain conditions, though the threshold and proportionality requirements remain contested in international law.

A defensible attribution report structures evidence by layer, labels confidence levels for each layer and for the overall conclusion, tests the evidence against alternative hypotheses, and explicitly addresses the false-flag risk. Reports that present only the indicators supporting the conclusion, without engaging with counter-evidence or alternative explanations, are analytically incomplete regardless of how many indicators they cite.

The structure most consistent with intelligence analysis best practices includes: a key judgement (one sentence stating the attribution conclusion and its confidence level); the evidence base (organised by layer: network, malware, TTP, contextual); alternative hypotheses (at least one credible alternative and why it was rejected); confidence rationale (which evidence strands are most reliable and why); and the assessed false-flag risk.

Chain of custody for the underlying forensic artefacts follows the same discipline as any digital forensic report. Under the Bharatiya Sakshya Adhiniyam 2023 in India, electronic records require a certificate from a responsible official attesting to the integrity of the record. Under the US Federal Rules of Evidence, digital evidence must pass authentication requirements before it is admissible. An attribution conclusion, however well-reasoned analytically, depends entirely on the forensic integrity of the evidence base: if the malware sample or network log was not properly preserved, the attribution claim cannot be verified in court. Investigators should treat attribution analysis and forensic evidence handling as inseparable.