If you're going to blame a cyberattack on North Korea, you'd better show your work

Figuring out who's behind a cyberattack is hard something that cybersecurity experts will tell you time and time again.

It's why some were understandably surprised when the Ontarioregional transit operatorMetrolinxclaimed on Tuesday evening that it had fallen victim to a North Koreancyberattack.

Coming out publicly escalates the stakes. MarkNunnikhoven,Trend Micro

So far, neitherMetrolinxnor the Ontario government have offered any evidence to back up that claim. The lack of information has made it difficult to understand the severity of the attack, let alone know how Metrolinx concluded North Korea was to blame.

"Coming out publicly, saying it was a particular nation state, escalates the stakes for no apparent reason," said Mark Nunnikhoven, who is a vice president at thecybersecuritycompany Trend Micro.

"There's not enough information publicly released to make that statement confidently. If they have additional evidence that supports that, that would be excellent. But as it stands right now, that statement doesn't have enough evidence to hold up."

• Ontario transit agency says it was hit by North Korean cyberattack

Often,cybersecurityresearchers who study such attacks will release detailed reports outlining their findings, in part tobackup their claims. But because of how difficult it can be to successfully attributewho is behind most cyberattacks, it's less common for researchers to confidentlypoint to a nation state as the culprit.

And if they do, given the severity of such a claim, they usually explain their reasoning.

"Simply saying 'Hey, that's North Korea' with nothing to back it up, is not the sort of statement I would put a lot of faith in," says Eva Galperin, the director ofcybersecurityat the digital rights group the Electronic Frontier Foundation (EFF).

Indicators of compromise

Part of what makes attribution difficult is that it's not hard for hackers to cover their tracks.Theymight route their attack through another country say, Russia to make it appear to come from them, or seek obscurity throughtools like virtual private networks or the anonymizing network Tor.

So researchers often look elsewhere for clues or, says Galperin, "indicators of compromise."

I can only tell you where the room is. EvaGalperin,Electronic Frontier Foundation

They might look for links with prior attacks say, similarities between the malware used, the infrastructure used to communicate with the malware, or the targets. Or perhaps the tools and targets are different, but the attacker's behaviour remains the same. Researchers might look for the people or organizations behind the IP addresses where attacks originated, where the infrastructure is hosted, or the web domains used.

"And while none of these is absolutely certain" some hackers have been found to share tools and infrastructure with other groups, for example, complicating attribution "these are the sorts of things that you need to do in order to make an educated guess about attribution," Galperin says.

Metrolinx, which oversees transit for the Toronto and Hamilton area, has declined to provide any of thisinformation, citing"security" reasons.

'Very few full attributions'

In many cases, it can take months, or even years, before researchers are able to attribute attacks to a particular group and that might still be as far as they get.

"Who that entity is in real life, their motivations, their aspirations that is very, very, very difficult to do from the outside," Nunnikhoven says. "We make very few full attributions."

In a report earlier this month fromthe security firm Lookout and theEFF, researchers traced the activity of a group they called Dark Caracal to the Lebanese General Security Directorate building in Beirut but only after years of Dark Caracal's activity being misattributed to other cybercrime groups.

• Hackers steal more customer data from Bell

And it can be harder still to definitively link a group with a country. EFF and Lookout, for example, stopped short of saying Lebanon was definitely behind Dark Caracal only that a Lebanese government building played a role.

"I'm not in the room when it happens," Galperin says. "I can only tell you where the room is."

Similarly, the University of Toronto's Citizen Lab has been tracking an ongoing spyware campaign targeting Mexican lawyers, journalists, politiciansand activists all of whom happen to oppose the Mexican government on various issues.

• Trump administration blames North Korea for WannaCry cyberattack

"Our technical methods do not permit us to conclusively attribute these operations to a particular customer," of the spyware used, the researchers wrote in their most recent report. "However, each finding, as well as extensive investigations by Mexican organizations, contribute to the mounting circumstantial evidence pointing to an entity or entities within Government of Mexico."

Trend Micro, meanwhile, is one of the manycybersecurityfirms tracking the activity of Fancy Bear also called Pawn Storm or APT28 which infiltrated the U.S. Democratic Party in 2016, and has more recently been targeting Olympicorganizations ahead of next month's Winter Games. Many researchers believe the group has links to the Russian government, though to which of its agencies remains unclear.

"Even with four years of evidence, we cannot confirm that they are nation-state sponsored," Nunnikhoven said. "The only thing that we can say confidently is that they have Russian-related interests, and that's based on their attack profile, and how they're attacking."