<div dir="ltr">Two thoughts on this mess:<div><br></div><div>1. It is exceptionally rare for a breach response investigation to find just one actor. This is a big part of why attribution is hard. Investigators get bits and pieces of artifacts from multiple actors, sometimes with timelines measured in years. (CrowdStrike's own reporting suggests this is the case at DNC, the question is only to what degree.) Putting them together in any sort of conclusive narrative is almost impossible.</div><div><br></div><div>2. It seems possible to this civilian observer that SVR may have deployed a cover persona and dumped the docs as a response to the CrowdStrike report, perhaps in hopes of having a level of plausible deniability for motivations like what Dave described in the original post.</div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jun 17, 2016 at 1:28 AM, Allen <span dir="ltr"><<a href="mailto:multimode1876@gmail.com" target="_blank">multimode1876@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>| It's entirely possible that this is a disinformation campaign, or that attribution is hard, and <span>Crowdstrike</span> made a mistake</div><div>|</div><div><br></div><div>I'm inclined to believe that while attribution may be hard there are entirely too many market incentives to brand any given attack with one of the nation state animal totems. <br></div><div><br></div><div>The fact that attribution is frequently derived from prior intelligence blended with the fact that all of the source data is confidential only lends itself to confirmation bias. A small attribution mistake by one vendor can really snowball.</div></div>
<br>_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br></div>