Comment by hamasho
3 days ago
The threat actor—whom we assess with high confidence was a Chinese state-sponsored group—manipulated
Not surprised at all if this is true, but how can they be sure? Access log? They have extraordinary security team? Or some help from three letter agencies?
My question is: how do they know they're from China and not some other country and just appear to be in China? It seems a good way to distract from the real source and to cause division between your adversaries.
That's a whole area called "attribution". There's usually lots of breadcrumbs and people taking to each other about their findings. It goes down to silly things like many state sponsored hackers working 9-5. And having the right keyboard layout. And using the same version of something as another known group. And accidentally once including a file path that reveals a tiny bit of information. And using the same key in two places that connects them. And...
Or course a lot of that can be spoofed, but you may still slip up. That's why they talk about high confidence.
If it's a known avenue of identification, one would think a state-sponsored group would have policies in place to combat that sort of fingerprinting. All of that would also be trivial to spoof/plant so as to distract from the real source.
> That's why they talk about high confidence.
I don't think "Just trust us" is good enough, not when there are various groups - the companies reporting these hacks included - with incentives to blame China.
3 replies →
Anthropic probably doesn't have the independent capabilities to perform a full definitive attribution of sophisticated cyberattacks. They likely detected misuse of their tools and then worked with/provided information to the intelligence community (who are familiar with the modus operandi of Chinese APTs) who then did the attribution.
Short version: they can’t. Just like with a lot of “CIA-style” espionage claims, the “evidence” is usually an IP that resolves to somewhere in China. That’s it. No magic, and not exactly convincing.
Well to be fair, I have read analyses that includes operational details like, for example, when the threat actors were active lining up with working hours in China. Stuff like that is at least slightly more convincing than just an IP
But of course, that doesn't prove anything either.
I imagine Anthropic employs a lot of talent from China. Beyond the political, they should be fairly certain to publish these claims to avoid an internal shit storm.