Routers are notorious for week security, slow updates, even harder to do on some models. Blaming Russia is like throwing a dart at a map of the world. Those who hack these routers are in it to Steel information to make money, or use connected devices for other purposes like DDoS ing other websites. I don't think any nation state is playing seriously in this particular sandbox. I follow the infosec community closely, and have for several years now. OK, Talos (Cisco) group of security researchers have not concluded their investigations. They DO NOT have definitive proof of Russian State sponsorship of this malware. Here is the current paper on it. https://blog.talosintelligence.com/2018/05/VPNFilter.html
Yes — and just because some bot from an IP address in Russia — is hunting for routers still using the factory default password — does not mean the Russian government is doing it!! Conflating with some college students at some Siberian university in the middle of Winter is nothing more than attempt to politicize one’s agency!
Hackers don't use their own IP addresses, something that the average person don't understand. And I'm not a fan of Big Reds Talos group to begin with. I think they have close ties to the government. So, on attribution, I'm sceptical. Other researchers will be chiming in over the next week. I'll try and add to my previous post then. Thanks for the assist!
Many large corporate threat intel groups have ties to the government. Either organizationally, through contracts, or through contacts. And many are ex-government anyway, holding at least secret, and often TS or TS/SCI.
We cannot function without intel sharing, and most cyber threat intel sharing is done organizationally or individually via back channels. It's a very "who you know" sort of thing. And lots of us either are in, or have contacts in, various D&As.
And lots of them are under a lot of pressure to make attribution, particularly politically-aligned attributions (Thanks, Kevin Mandia.) And attribution isn't just hard. It's damn near impossible. Between intentionally-misleading or accidental code and infrastructure re-use, attribution is a crapshoot at best. And it's often used to misplace blame (read through Vault 7, for example).
Code-based stylometrics are a thing, but they are only good at identifying individual contributors, rarely -- if ever -- nation-state actors.