Attributing a cyberattack to a specific actor or nation is an analytic exercise that combines forensic investigation with intelligence tradecraft, and the U.S. government has formalized both the process and the language for expressing confidence in its conclusions. The Office of the Director of National Intelligence published a public guide to cyber attribution in 2018 that outlines the methodology. The CRS has incorporated that framework into its most recent cyberattack compendium, making the attribution scaffolding explicit rather than assumed.
The Investigation Process
Investigators begin with the attributes of the event itself. Tradecraft — the specific techniques, tactics, and procedures used to carry out the attack — is analyzed alongside the malware deployed, the features that malware exhibited (keylogging, encryption, credential harvesting), and the infrastructure used to command and control it. That baseline technical analysis is then corroborated against government intelligence, cybersecurity firm research, think tank analysis, and reporting from news organizations. The goal is to minimize human error, surface competing theories, and stress-test any attribution hypothesis before it is formalized.
Confidence levels are expressed in three tiers. High confidence means investigators believe beyond a reasonable doubt that the attributed party is responsible and that no viable alternative theory holds. Moderate confidence indicates clear and convincing evidence but acknowledges that alternative actors remain possible. Low confidence signals that evidence points in a direction but significant information gaps persist. These designations carry real consequences — high-confidence attribution can support indictments and diplomatic action, while low-confidence claims typically remain internal.
The Source Hierarchy
Not all attribution claims are equal. The CRS distinguishes four levels of source authority. Primary sources — court convictions, grand jury indictments, and official government statements — sit at the top. A conviction under the Computer Fraud and Abuse Act or the Economic Espionage Act is the most authoritative attribution instrument available. Below primary sources sit secondary sources, primarily cybersecurity firm research, which typically includes technical evidence but lacks access to classified signals intelligence. Firms have historically avoided naming nation-states directly, preferring to track actor sets under internal codenames like APT designations. Supposed sources — statements from unnamed government officials reported by mainstream media — provide corroboration but cannot be independently examined. Conjecture, including victim claims and social media attribution, rounds out the bottom of the hierarchy with minimal evidentiary value.
Why Attribution Remains Difficult
Sophisticated adversaries actively work to degrade the quality of attribution evidence. Nation-state actors in particular stand up new infrastructure for individual campaigns rather than reusing known command-and-control servers. They scrub logs, route traffic through compromised third-party systems, and deliberately employ techniques associated with other threat actors to introduce noise into forensic analysis. A Chinese APT impersonating Russian tradecraft, or a Russian group operating through servers in neutral countries, can push an attribution claim from high confidence to moderate or low without much difficulty if the deception is executed cleanly.
The CRS methodology addresses this by limiting its inventory strictly to primary-source attributions. Operations that generated official statements but no evidentiary documentation were excluded. The result is a list that undersells the actual volume of attributed activity while providing the highest available confidence in what it does include. That trade-off — completeness sacrificed for evidentiary integrity — is the correct one for a document intended to inform legislation and oversight. It is a narrower lens than policymakers might wish, and a more honest one than the threat landscape typically receives.