Threat actor attribution is important because it helps to prevent further attacks. Knowing the person(s) or group(s) behind an attack can assist cybersecurity professionals and help them understand the aims of the threat actor, predict the tactics, techniques, and procedures which might follow, search for the point of entry (including attack vector and other enabling activities), and strengthen defenses.
Digital devices often betray information like user, device type, and location, but these can also be faked to muddy the water or deliberately implicate somebody else. It is the role of the security investigator to work out what is going on! The following diagram shows a person intending to post anonymously, but the metadata in their image actually reveals their GPS location, which can be mapped using open source mapping:
All of these benefits are additional to the ability to prosecute; many corporations and institutions may not want to seek prosecution for reputational, financial, or security reasons. Attribution is still important to affected corporations and institutions for the preceding reasons.
The investigation of the WannaCry ransomware attack provides a few good examples of direct, indirect, and corroborative evidence toward threat actor attribution. Upon analyzing the WannaCry malware, a number of pieces of circumstantial evidence became apparent. Direct evidence found by the FBI linked a series of email accounts to the attack, each associated with an individual with alleged links to North Korea. The use of a font tag for Hangul (the Korean alphabet) was found, which indirectly corroborated this attribution.
Code samples, including the style of commenting and pseudorandom sequences for domains that are used, also suggested that the keyboard layouts and linguistic structures were likely to be of a non-native English speaker – further circumstantial corroboration.
Complexity, in this case, was the reuse of code that was used in other attacks, and the apparent modular nature of the malware. This, added to the use of Tor exit nodes, can be seen as steps being taken to introduce doubts into the attribution.