PUBLIC attribution of cyberattacks is not as clear-cut as it might seem, and a panel at RSAC 2026 explored how attribution is often probabilistic rather than definitive. The discussion highlighted that naming a threat actor can carry significant blowback and may be used as a marketing tool by vendors, sometimes masking internal patterns of activity behind bespoke taxonomies such as Salt Typhoon or Sandworm.
The panel also stressed that attribution is usually “more likely than not” rather than 100% certain, since attackers may lie or misdirect deliberately. Notable examples cited included the NotPetya attacks in 2017, which were attributed to Russian nation-state actors, specifically the Sandworm group, though some uncertainties remain.
Not attributing an attack can also carry risks, with comments suggesting that a blanket refusal to attribute could signal acceptance of the behaviour, while “no comment” is not universally viewed as the best response. According to Axios reporter Sam Sabin, the ongoing investigation approach—acknowledging reports and the open nature of investigations—can help manage the narrative without prematurely naming a culprit.