Their high-confidence attribution to NSO Group is described as being based on two factors:
1. Incomplete deletion of evidence from a SQLite database, in the exact same manner observed in a previous Pegasus sample;
2. The presence of a new process with the same name as a process observed in a previous Pegasus sample.
But isn't it likely that someone with the skills needed to discover and weaponize a chain of 0-day exploits, is incentivized and able to detect these quirks in Pegasus samples and imitate them, with the goal of misattribution?
Of course, there may be more factors involved in the attribution that aren't being shared publicly.
It seems like incomplete deletion of data is an error. If you are an exploit developer looking to throw investigators off your trail, it is one thing to name your processes with Pegasus names. It is another to deliberately introduce errors in your exploit to appear like Pegasus.
Your proposal is possible. It is just less likely than that this exploit was developed by NSO Group.
It usually is the US, China or Russia though; the three have a large number of experts for this. And unless you find an error in the attribution processes, they are most of the time backed up by data that appears plausible, like a server or code fragment
Interesting that you're leaving out Israel from your listing while the very subject of this article is Israeli offensive cyberwar and espionage capabilities and a profound lack of ethics.
What I was trying to convey originally is that attribution is politically expedient. If you want to saber-rattle towards China you task Mandiant to find proof of Chinese hacking, if you want to blame Russia Crowdstrike gets the job. It's like employing McKinsey consulting to give a veneer of credibility to a predetermined outcome.
1. Incomplete deletion of evidence from a SQLite database, in the exact same manner observed in a previous Pegasus sample;
2. The presence of a new process with the same name as a process observed in a previous Pegasus sample.
But isn't it likely that someone with the skills needed to discover and weaponize a chain of 0-day exploits, is incentivized and able to detect these quirks in Pegasus samples and imitate them, with the goal of misattribution?
Of course, there may be more factors involved in the attribution that aren't being shared publicly.