Comment by viraptor
3 days ago
That's a whole area called "attribution". There's usually lots of breadcrumbs and people taking to each other about their findings. It goes down to silly things like many state sponsored hackers working 9-5. And having the right keyboard layout. And using the same version of something as another known group. And accidentally once including a file path that reveals a tiny bit of information. And using the same key in two places that connects them. And...
Or course a lot of that can be spoofed, but you may still slip up. That's why they talk about high confidence.
If it's a known avenue of identification, one would think a state-sponsored group would have policies in place to combat that sort of fingerprinting. All of that would also be trivial to spoof/plant so as to distract from the real source.
> That's why they talk about high confidence.
I don't think "Just trust us" is good enough, not when there are various groups - the companies reporting these hacks included - with incentives to blame China.
> If it's a known avenue of identification, one would think a state-sponsored group would have policies in place to combat that sort of fingerprinting.
It relies on people not being perfect and not caring that much. So far, it's working pretty well and the identification leaks are consistent for years.
How do we know? Is China like, "Oops, yeah, haha, that's us. gg"
[dead]
Anthropic probably doesn't have the independent capabilities to perform a full definitive attribution of sophisticated cyberattacks. They likely detected misuse of their tools and then worked with/provided information to the intelligence community (who are familiar with the modus operandi of Chinese APTs) who then did the attribution.