That time signature shows the movement of information through an organization and between organizations as clearly as DNA does. Currently I'm reading this new paper by Herb Lin and you can't see that inside the paper.
The original post from 2013 follows:
We had this whole section in the early Unethical Hacking classes where we talked about attribution, and anti-attribution methodology. To summarize it, we realized that there are some things that can be trivially changed by an exploit team - obviously the strings inside the trojans are the best example of these. Or the emails they register their cover accounts with. These mean nothing. But there is meta-data they cannot change easily. What follows we call the tripod of cyber attribution: 1. Knowledge of particular vulnerabilities, exploits, or techniques. This produces a "chain"-like time-based fingerprint that is extremely difficult to spoof, since you would need to replicate the entire Chinese technology tree to pretend to be Chinese. Simply stealing some exploits won't do, because you'll never have an exploit or exploit technique BEFORE they go public with it. And you can also add "time to mature and deploy a technology" to your analysis, making it a very robust indicator. This is also true of operator methodologies, analysis techniques, and attack surfaces. 2. Targeting. This is hard to change because it results not from technological restrictions, but from policy restrictions and turf wars. If you're not allowed by the Politburo to steal Chinese data, then you won't. Faking this is possible, but it's somewhat complex. This, of course, is why it's also dangerous to do "collision prevention" on your rootkits. If you never catch Rootkits A and Q on the same box, ever in the history of time, then A and Q are from the same team (or allied teams). 3. Dissemination. It's hard to pretend to be Russian if the data you are stealing from Dow Chemicals ends up in Chinese state-owned enterprise's product lines. This is one reason economic espionage efforts are so dangerous to groups trying to hide attribution. In any case, completely extraneous to this topic: Lurene did a podcast you should listen to in your car or whatever - http://theloopcast.podbean.com/2013/01/16/episode-6-offensive-cyber/ . It's kind of like eavesdropping on two random people in a Starbucks in DC who are talking about cyber - which .... is any two random people in a Starbucks in DC, according to my sampling. :> -dave