Following the WannaCry malware being traced to North Korea, how is the malware traced to a specific country?
How I think this could be done:
What other methods are there?
Entity resolution and just general intelligence is a large part of it.
When we encounter malware and reverse it and find Cyrillic characters or other indicators that the attacker is, say, Russian, and the C+C calls out to IP address A.B.C.D, it gets noted. Every bit of information we learn about a campaign gets logged in in intelligence repository of some kind. Some of this information gets shared with other institutions or sourced through third-party intelligence vendors. We learn from them, they learn from us about what threats exist.
Then later on, we may see new malware pop up. This time, they did a better job removing linguistic identifiers from the code so we don't have any starting hints as to the origin environment. But we observe that it calls out to similar domains as this other piece of malware we saw, or it too reaches out to A.B.C.D (which indicates shared infrastructure). Or it reaches out to a domain name registered to a name we've seen pop up in other campaigns.
The IP geolocation itself is usually a red herring, as most traffic gets routed through botnets or Tor. However the fact that two unique pieces of malware may reach out to the same location (regardless of what it is) does indicate commonality between the campaigns, so we correlate that with the information we already know about existing attacks.
Similarities in code are also usually a red herring; much malware is classified as 'commodity' malware which means anybody who knows where to find it can just buy it 'off the shelf' so to speak. So if I write something to steal money from Swiss banks, I can sell it to the Russian mafia, some Israeli teenager, or a Chinese government actor all the same-- now all three of them appear to be using code with linguistic hints of America/Canada/UK as the source.
Also, amusingly enough, many governments look the other way when it comes to hacking institutions in foreign countries. When we see malware that specifically does not target a given country, it's generally an indicator that the source itself is that country-- no Russian wants to get caught hacking a domestic bank when there's literally no consequence if they just do it to an American bank instead.
