We've got like 12 years of historical records tracking the evolution of internal tooling and infrastructure that Cozy Bear uses. Yeah attribution is hard, yeah someone could have been trying to frame them, but in general these groups tend to use a lot of in-house tools and consistent infrastructure and techniques.
The evidence was absolutely overwhelming. It isn't like someone saw an IP in Russia and assumed it must be Russians. The intelligence agencies had been tracking them for years. They knew exactly who was doing exactly what within the Fancy Bear organization. They know when people joined up and how they were introduced to their GRU handlers. The idea that these attributions are just thrown around whimsically is pure ignorance.
Here's the article I was trying to remember last night about how Dutch intelligence actually hacked security cameras and watched the DNC hack go down live.
Misattributions happen, but Fancy Bear / Cozy Bear is extremely well understood, and they don't generally make much of an effort to hide the fact that it was them that did it. For them, it's often about sending a message.
According to Charles Carmakal, senior vice president and chief technical officer at Mandiant, FireEye’s incident response arm
“There will unfortunately be more victims that have to come forward in the coming weeks and months,” he said. While some have attributed the attack to a state-sponsored Russian group known as APT 29, or Cozy Bear, FireEye had not yet seen sufficient evidence to name the actor, he said. A Kremlin official denied that Russia had any involvement.
https://en.wikipedia.org/wiki/Cozy_Bear
Did you read the Fancy Bear incitements for the DNC hack?
https://www.justice.gov/file/1080281/download
The evidence was absolutely overwhelming. It isn't like someone saw an IP in Russia and assumed it must be Russians. The intelligence agencies had been tracking them for years. They knew exactly who was doing exactly what within the Fancy Bear organization. They know when people joined up and how they were introduced to their GRU handlers. The idea that these attributions are just thrown around whimsically is pure ignorance.