Publicly accusing an entity of a cyberattack could have negative consequences that organizations should consider before taking the plunge.
RSAC 2026 CONFERENCE – San Francisco – Questions about threat actor attribution, including how to do it and why you might want to hold off, are not as straightforward as they may first seem.
Attribution is a wide-ranging topic that mostly boils down to "Whodunnit?" for cyberattacks. Depending on the attack and various circumstances, you may read somewhere that a bespoke threat group, such as a ransomware gang, compromised an organization's network. Sometimes it's a "cluster," designed to connect a pattern of activity without strictly connecting a threat actor or nation to that activity with complete certainty. Often, a cybersecurity vendor will use their own custom naming taxnomy to track threat groups, like Salt Typhoon or Sandworm, even though the threat actors themselves would never use those names.
This gets more complicated when those names are used both as an internal signifier to describe a pattern of activity as well as a vendor marketing tool to share research or present a threat.
A panel at RSAC 2026 Conference, titled "We Think It Was Them: The Perils of Attribution in Public Statements," dug into some of the questions of attribution that are not always asked: How often is attribution a sure thing? Should you always publicly attribute? What are the risks of attempting to attribute a threat actor? Axios reporter Sam Sabin hosted the panel, which featured FTI Consulting senior advisor Brett Callow, Institute for Security and Technology chief strategy officer Megan Stifel, and Cooley LLP partner Mike Egan.
Egan agreed, saying it's rarely 100% clear an attacker conducted an attack unless the attacker wants their involvement known. That's without even considering the propensity for entities like ransomware groups to lie and take credit for attacks they might not be responsible for — another complicating factor in attribution.
He added that for some of his legal clients, a recurring misconception has been that attribution may divert responsibility from the defender and improve the narrative surrounding an attack because it gives the impression that there was no way to avoid something so sophisticated.
"We've had instances of that in the past where the FBI has come out and told the company, 'Listen, 99% of companies wouldn't be able to withstand this attack. This is a pure nation-state attack.' I get the attraction behind that, but it changes the narrative a bit and then can make some people a little bit more concerned," Egan explained. "Now all of a sudden, we're not talking about just a personal data breach and something bigger, and that story sticks around longer."
Attribution may also impact things like cyber insurance coverage, the panelists said. For example, some insurance claims from victims of the NotPetya ransomware attacks in 2017 initially were denied, because the providers argued that the policies didn't cover acts of war. The ransomware attacks were initially directed at Ukraine before spreading to other countries and were attributed to Russian nation-state actors, specifically the notorious Sandworm threat group.
However, there can also be risks to not attributing an attack. Stifel, who was previously an attorney in the National Security Division at the US Department of Justice (DOJ), pointed out that, depending on the attack, if an organization declines to make an attribution case, that could signal acceptance or even assent of the behavior.
Sabin asked about situations where an entity (like a government, company, or a victim organization) isn't ready to make a concrete attribution but reality gets in the way; for example, if a reporter gets a scoop that an attack took place, it could put pressure on the victim organization. There are obvious risks for prematurely attributing an attack, even though victims may not want someone else to set a narrative for them. All three panelists approached the question from a different angle.
Stifel said that one option is to simply say "no comment" or acknowledge that the party is aware of reports or that an incident has occurred, and that investigation is ongoing. Egan, speaking from a legal perspective, advocated for keeping clients on the "no comment" line and letting the investigation play out. "Oftentimes the best answer is no answer. We're concentrating on the investigation."
Callow disagreed, at least in part.
"I don't think 'no comment' is ever a good response. If you don't fill that gap, somebody else will," he said. "You don't necessarily have to attribute the attack, but you should, for example, say the investigation is ongoing."
RSAC 2026 CONFERENCE – San Francisco – Questions about threat actor attribution, including how to do it and why you might want to hold off, are not as straightforward as they may first seem.
Attribution is a wide-ranging topic that mostly boils down to "Whodunnit?" for cyberattacks. Depending on the attack and various circumstances, you may read somewhere that a bespoke threat group, such as a ransomware gang, compromised an organization's network. Sometimes it's a "cluster," designed to connect a pattern of activity without strictly connecting a threat actor or nation to that activity with complete certainty. Often, a cybersecurity vendor will use their own custom naming taxnomy to track threat groups, like Salt Typhoon or Sandworm, even though the threat actors themselves would never use those names.
This gets more complicated when those names are used both as an internal signifier to describe a pattern of activity as well as a vendor marketing tool to share research or present a threat.
A panel at RSAC 2026 Conference, titled "We Think It Was Them: The Perils of Attribution in Public Statements," dug into some of the questions of attribution that are not always asked: How often is attribution a sure thing? Should you always publicly attribute? What are the risks of attempting to attribute a threat actor? Axios reporter Sam Sabin hosted the panel, which featured FTI Consulting senior advisor Brett Callow, Institute for Security and Technology chief strategy officer Megan Stifel, and Cooley LLP partner Mike Egan.
Misconceptions Surrounding Threat Actor Attribution
Callow said that when it comes to attribution, a common misconception is that the process is definitive rather than probabilistic. He said it is almost always a case of it being "more likely than not that a particular entity was responsible, but that nuance doesn't always get carried out."Egan agreed, saying it's rarely 100% clear an attacker conducted an attack unless the attacker wants their involvement known. That's without even considering the propensity for entities like ransomware groups to lie and take credit for attacks they might not be responsible for — another complicating factor in attribution.
He added that for some of his legal clients, a recurring misconception has been that attribution may divert responsibility from the defender and improve the narrative surrounding an attack because it gives the impression that there was no way to avoid something so sophisticated.
"We've had instances of that in the past where the FBI has come out and told the company, 'Listen, 99% of companies wouldn't be able to withstand this attack. This is a pure nation-state attack.' I get the attraction behind that, but it changes the narrative a bit and then can make some people a little bit more concerned," Egan explained. "Now all of a sudden, we're not talking about just a personal data breach and something bigger, and that story sticks around longer."
Attribution and Risk
While firmly attributing an attack can seem appealing, the panelists said there are consequences to consider. Callow said that, on the whole, definitive attribution is "extremely risky" because it means bringing third parties into the discussion. "That could be a nation or it could be a for-profit criminal enterprise. In either case, whatever you say to them can attract considerable blowback and invite comments," he said.Attribution may also impact things like cyber insurance coverage, the panelists said. For example, some insurance claims from victims of the NotPetya ransomware attacks in 2017 initially were denied, because the providers argued that the policies didn't cover acts of war. The ransomware attacks were initially directed at Ukraine before spreading to other countries and were attributed to Russian nation-state actors, specifically the notorious Sandworm threat group.
However, there can also be risks to not attributing an attack. Stifel, who was previously an attorney in the National Security Division at the US Department of Justice (DOJ), pointed out that, depending on the attack, if an organization declines to make an attribution case, that could signal acceptance or even assent of the behavior.
Sabin asked about situations where an entity (like a government, company, or a victim organization) isn't ready to make a concrete attribution but reality gets in the way; for example, if a reporter gets a scoop that an attack took place, it could put pressure on the victim organization. There are obvious risks for prematurely attributing an attack, even though victims may not want someone else to set a narrative for them. All three panelists approached the question from a different angle.
Stifel said that one option is to simply say "no comment" or acknowledge that the party is aware of reports or that an incident has occurred, and that investigation is ongoing. Egan, speaking from a legal perspective, advocated for keeping clients on the "no comment" line and letting the investigation play out. "Oftentimes the best answer is no answer. We're concentrating on the investigation."
Callow disagreed, at least in part.
"I don't think 'no comment' is ever a good response. If you don't fill that gap, somebody else will," he said. "You don't necessarily have to attribute the attack, but you should, for example, say the investigation is ongoing."