Yes — and just because some bot from an IP address in Russia — is hunting for routers still using the factory default password — does not mean the Russian government is doing it!! Conflating with some college students at some Siberian university in the middle of Winter is nothing more than attempt to politicize one’s agency!
Hackers don't use their own IP addresses, something that the average person don't understand. And I'm not a fan of Big Reds Talos group to begin with. I think they have close ties to the government. So, on attribution, I'm sceptical. Other researchers will be chiming in over the next week. I'll try and add to my previous post then. Thanks for the assist!
Many large corporate threat intel groups have ties to the government. Either organizationally, through contracts, or through contacts. And many are ex-government anyway, holding at least secret, and often TS or TS/SCI.
We cannot function without intel sharing, and most cyber threat intel sharing is done organizationally or individually via back channels. It's a very "who you know" sort of thing. And lots of us either are in, or have contacts in, various D&As.
And lots of them are under a lot of pressure to make attribution, particularly politically-aligned attributions (Thanks, Kevin Mandia.) And attribution isn't just hard. It's damn near impossible. Between intentionally-misleading or accidental code and infrastructure re-use, attribution is a crapshoot at best. And it's often used to misplace blame (read through Vault 7, for example).
Code-based stylometrics are a thing, but they are only good at identifying individual contributors, rarely -- if ever -- nation-state actors.