Figuring out who's behind a cyberattack is hard — something that cybersecurity experts will tell you time and time again.

It's why some were understandably surprised when the Ontario regional transit operator Metrolinx claimed on Tuesday evening that it had fallen victim to a North Korean cyberattack.

Coming out publicly… escalates the stakes. — Mark Nunnikhoven, Trend Micro

So far, neither Metrolinx nor the Ontario government have offered any evidence to back up that claim. The lack of information has made it difficult to understand the severity of the attack, let alone know how Metrolinx concluded North Korea was to blame.

"Coming out publicly, saying it was a particular nation state, escalates the stakes for no apparent reason," said Mark Nunnikhoven, who is a vice president at the cybersecurity company Trend Micro.

"There's not enough information publicly released to make that statement confidently. If they have additional evidence that supports that, that would be excellent. But as it stands right now, that statement doesn't have enough evidence to hold up."

Often, cybersecurity researchers who study such attacks will release detailed reports outlining their findings, in part to back up their claims. But because of how difficult it can be to successfully attribute who is behind most cyberattacks, it's less common for researchers to confidently point to a nation state as the culprit.

And if they do, given the severity of such a claim, they usually explain their reasoning.

"Simply saying 'Hey, that's North Korea' with nothing to back it up, is not the sort of statement I would put a lot of faith in," says Eva Galperin, the director of cybersecurity at the digital rights group the Electronic Frontier Foundation (EFF).

North Korean leader Kim Jong-un observes a military drill in an undated photo released in April 2014. Metrolinx provided no evidence to back up its claim of a North Korean attack. (KCNA/Reuters)

Indicators of compromise

Part of what makes attribution difficult is that it's not hard for hackers to cover their tracks. They might route their attack through another country — say, Russia — to make it appear to come from them, or seek obscurity through tools like virtual private networks or the anonymizing network Tor.

So researchers often look elsewhere for clues or, says Galperin, "indicators of compromise."

I can only tell you where the room is. — Eva Galperin, Electronic Frontier Foundation

They might look for links with prior attacks — say, similarities between the malware used, the infrastructure used to communicate with the malware, or the targets. Or perhaps the tools and targets are different, but the attacker's behaviour remains the same. Researchers might look for the people or organizations behind the IP addresses where attacks originated, where the infrastructure is hosted, or the web domains used.

"And while none of these is absolutely certain" — some hackers have been found to share tools and infrastructure with other groups, for example, complicating attribution — "these are the sorts of things that you need to do in order to make an educated guess about attribution," Galperin says.

Metrolinx, which oversees transit for the Toronto and Hamilton area, has declined to provide any of this information, citing "security" reasons.

Cybersecurity researchers who study attacks against companies or dissidents will often release detailed public reports outlining their findings, in part to back up their claims. (Jim Urquhart/Reuters)

'Very few full attributions'

In many cases, it can take months, or even years, before researchers are able to attribute attacks to a particular group — and that might still be as far as they get.

"Who that entity is in real life, their motivations, their aspirations — that is very, very, very difficult to do from the outside," Nunnikhoven says. "We make very few full attributions."

In a report earlier this month from the security firm Lookout and the EFF, researchers traced the activity of a group they called Dark Caracal to the Lebanese General Security Directorate building in Beirut — but only after years of Dark Caracal's activity being misattributed to other cybercrime groups.

And it can be harder still to definitively link a group with a country. EFF and Lookout, for example, stopped short of saying Lebanon was definitely behind Dark Caracal — only that a Lebanese government building played a role.

"I'm not in the room when it happens," Galperin says. "I can only tell you where the room is."

Similarly, the University of Toronto's Citizen Lab has been tracking an ongoing spyware campaign targeting Mexican lawyers, journalists, politicians and activists — all of whom happen to oppose the Mexican government on various issues.

"Our technical methods do not permit us to conclusively attribute these operations to a particular customer," of the spyware used, the researchers wrote in their most recent report. "However, each finding, as well as extensive investigations by Mexican organizations, contribute to the mounting circumstantial evidence pointing to an entity or entities within Government of Mexico."

Trend Micro, meanwhile, is one of the many cybersecurity firms tracking the activity of Fancy Bear — also called Pawn Storm or APT28 — which infiltrated the U.S. Democratic Party in 2016, and has more recently been targeting Olympic organizations ahead of next month's Winter Games. Many researchers believe the group has links to the Russian government, though to which of its agencies remains unclear.

"Even with four years of evidence, we cannot confirm that they are nation-state sponsored," Nunnikhoven said. "The only thing that we can say confidently is that they have Russian-related interests, and that's based on their attack profile, and how they're attacking."