I wish we had more concrete evidence than "according to people familiar with the matter" though. That's kind of my issue: if these attackers are so sophisticated, how can they be sure it's this particular group?
I realize that there are probably many good reasons for not sharing deep technical details in such cases, but from the point of view of an external observer it's really hard to know who should be trusted and how solid these claims are.
A very common source of information to reporters are people who aren't authorized to speak about an issue, or people who have informal relationships with the press and don't want their names revealed publicly.
There are indeed many good reasons why specific people aren't cited in these articles, but who you're trusting is the Washington Post, not these individuals. The trust comes from what the Washington Post does when it finds out it has published false information, and its track record of making sure what it publishes as news is accurate, or corrected when discovered to be false.
As a overly generic rule, trust (or don't) the Institution over the individuals.
I'm perfectly willing to trust that the WaPo is reporting truthfully and that their sources are legit, but without concrete evidence it's hard to judge how serious the allegation really is.
Is it "they forgot to switch their VPN on once and we got a direct connection from an IP that belongs to the Russian state" like that other time (still manipulable but fairly conclusive IMO) or is it "that really looks like the modus operandi of those damn russians and we really need somebody to pin it on right now"?
To be clear I'm not making one of those "fake news" pro-russian rants, I can totally believe that Russia would very much do the things being reproached here if given the opportunity, I just have a really hard time taking the word of an anonymous source without concrete elements in these matters because the potential for manipulation is so absolutely tremendous.
I tend to consider news reports more akin to a, “here’s what we know now” report than a, “this is the definitive explanation of what’s taken place.”
So in that spirit I agree with you. What this looks like, so far, is a sophisticated Russian attack. From here, we’re going to learn more, and that new info may change how we understand what’s happened substantially.
Though I will say I personally don’t care much that the source is anonymous, because I trust WaPo to vet what they’ve said with other sources. It’s not a perfect system, but it’s not like journalists are unaware of the groups trying to manipulate them.
Often, people who "aren't authorized" are used to plant an idea in the press, without the agency in question having to make an official statement. Whether that information is reliable depends on whether you trust the agenda of whoever decided to leak the information.
The Washington Post's record on verifying the claims of the US national security apparatus is poor. The newspaper uncritically reported false claims by the Bush administration about Iraqi WMD. Many people people at the time found those claims extremely dubious, but critical voices were belittled or shut out of most mainstream reporting. More recently, the Washington Post has been all-in on Russia paranoia. That doesn't mean that everything they publish about Russian hackers is wrong, but it very well may be misinformation leaked by US intelligence officials, or something insignificant blown out of proportion and presented without any context. In December 2016, for example, the Washington Post reported that the Russians had hacked a Vermont utility. That story turned out to be complete nonsense, but the Washington Post never fully retracted it. If you look at the story today, you'll still get the impression that the Russians attempted to hack the utility, even though that aspect of the story completely fell apart. The Washington Post on Russia is a bit like Bloomberg on Chinese hackers (e.g., Supermicro).
But you should also keep in mind that organizations (or factions within organizations) will use these channels for their own purposes, to test public opinion before an official announcement, as propaganda channel or to undermine elected officials who are politically in charge.
> As a overly generic rule, trust (or don't) the Institution over the individuals.
That is precisely the same line of reasoning that started the Iraq War based on lies. The New York Times claimed to have intel from anonymous sources showing that Saddam Hussein had nuclear weapons, and their false reporting is what led the US to declare war. That snafu didn't happen all that long ago, and yet most people in 2020 seem to have blocked it out of their minds.
The difference is that it wasn't hard to work out the claims were nonsense. WMDs are hugely expensive, and the Iraqi economy was running on fumes at that point. That combined with US belligerence against Iraq made the claims improbable.
But Russia actually does have a strong black hat culture, with links to the political establishment. Putin is a technologically savvy kind of despot who likes sneaky low-cost high-return actions. So this fits the profile - both as a workable hack and also as a proof of concept for future attacks.
Consider the cost/benefit. Instead of physically blowing up infrastructure and security systems you can cripple them, possibly permanently, for the cost of - what? - 20 or 30 specialists, some PCs, and maybe some supercomputer time. Although even that may be optional.
It's unlikely conclusive evidence will be released, because that might reveal too much information about defence strategies. So circumstantial evidence will be as good as it gets.
But whatever the cause, clearly - clearly - all countries and larger orgs need to work much harder on security. Some decorative pen-testing isn't going to be nearly enough in the 2020s.
That's all well and good, but it fails to account for potential action by state actors other than Russia. Everything you have said applies just as much to China, if not more so.
Vetting and sourcing information accurately is a Hard Problem. I don’t expect WaPo (or anyone) to get it right all the time, but I do trust WaPo reporters to be very aware of the best ways to do it, and to let me know when they end up getting it wrong.
At some point you have to trust others to be good at their jobs, and when an org like WaPo demonstrates their proficiency over and over again, their believability rises.
I totally agree with your point (and would trust a hazy dream more than anything coming from this government), but I'd add that even if they claim to identify these parties forensically, they're often using parallel construction through their own espionage. like in the mueller investigation, they had a lot of firsthand knowledge of the IRA's business from inside the building (and the names of everyone that worked there). It's often not a technical conclusion based on the intrusions, but a conclusion reached by evidence gathered through other means
bellingcat has also done a pretty remarkable job of identifying state-employed hackers and spies just through buying russian passport control information and other private information that's out there on the market
> bellingcat has also done a pretty remarkable job of identifying state-employed hackers and spies just through buying russian passport control information and other private information that's out there on the market
Sounds reasonable but I don't remind reading it from the released pdf of the investigation. I actually read the whole thing, it's long but rather interesting from the hacker and espionage spirit.
Because those people would lose their jobs, possibly do jail time, and possibly the story would never have broken in the first place if reporters were required to always give up their sources in the article. Usually they do vetting or it's people they've worked with before and they trust.
So far as I understand it, "hacker groups," private or state-level, are generally identified by the tools they use. The same groups will re-use the tools and exploits they have over and over, including some known libraries. Security researchers capture the malware sent out from those groups and reverse engineer them. These allow groups of malware signatures to be created, which allows researchers to start to identify potential actors. It didn't take long for the security community to start blaming certain organizations for Stuxnet, despite there being little proof of their claims...
You either believe it or you don't. There have been instances where more details were released (the Clinton campaign hack, IIRC), and it just gave more opportunity for people who did not want to believe it to nitpick details.
Whoever does such things doesn't exactly sign their exploits to prove ownership. So the evidence might be something like IP addresses in log files: totally convincing if it's your log file, but so easy to manipulate it's useful to convince someone who does not trust you.
I realize that there are probably many good reasons for not sharing deep technical details in such cases, but from the point of view of an external observer it's really hard to know who should be trusted and how solid these claims are.