[screen 1]
An inauthentic network spreads divisive content. Researchers detect the coordination. Platforms remove the accounts. But who operated it?
Was it a state intelligence service? A private firm hired by a government? Ideological activists? Determining attribution - who is responsible - is technically and politically complex, yet essential for effective response.
[screen 2]
Why Attribution Matters
Identifying actors behind FIMI operations enables:
Appropriate responses: Diplomatic measures, sanctions, platform policies, legal action
Public awareness: Exposing operations reduces effectiveness
Strategic understanding: Learning adversary tactics and objectives
Deterrence: Imposing costs on those conducting operations
Accountability: Domestic and international consequences
But attribution requires high confidence - false attribution has serious consequences.
[screen 3]
The Attribution Stack
Multiple types of evidence contribute to attribution:
Technical indicators: IP addresses, infrastructure, malware signatures
Behavioral patterns: Activity timing, coordination, targeting
Linguistic markers: Language features, vocabulary, idioms
Content analysis: Narratives, themes, specific claims
Operational security failures: Mistakes that reveal identity
Human intelligence: Inside information about operations
High-confidence attribution typically requires multiple converging indicators.
[screen 4]
Technical Attribution
Digital forensics examine technical traces:
IP addresses and geolocation: Where did activity originate? (But VPNs and proxies complicate this)
Device fingerprints: Patterns in device types, browsers, operating systems
Account creation patterns: Email providers, phone numbers, registration timing
Payment information: How were ads or services paid for?
Infrastructure links: Shared servers, domain registrations, hosting providers
Technical evidence is important but not conclusive - sophisticated actors obscure these traces.
[screen 5]
Behavioral Attribution
Patterns of activity can indicate origins:
Timing analysis: When are accounts active? (Corresponds to specific time zones?)
Coordination patterns: Simultaneous or sequenced activity suggesting central coordination
Network structure: How accounts connect and interact
Targeting: Who is targeted reveals adversary interests
Persistence: Long-running operations suggest resource and motivation
Behavioral analysis often reveals coordination even when individual accounts seem authentic.
[screen 6]
Linguistic Attribution
Language provides attribution clues:
Native language interference: Grammar patterns revealing first language
Vocabulary choices: Word selections indicating cultural background
Translation artifacts: Evidence of machine or human translation
Idiom usage: Culture-specific expressions
Register: Formality levels and code-switching patterns
Spelling: Regional variations (color vs colour)
Linguistic analysis is powerful but requires expertise - and sophisticated actors use native speakers.
[screen 7]
Content and Narrative Analysis
What is said can indicate who is saying it:
Narrative alignment: Content matching state media narratives
Unique claims: Specific false claims that originated with particular actors
Framing: How issues are presented
Omissions: What is never criticized reveals loyalties
Coordination with events: Timing relative to geopolitical developments
If content consistently aligns with a state’s interests while never criticizing it, that’s suggestive - but not definitive.
[screen 8]
The Confidence Spectrum
Attribution confidence ranges from low to high:
Low confidence: Suggestive patterns but limited evidence
Moderate confidence: Multiple indicators pointing to same actor
High confidence: Strong technical evidence plus supporting indicators
Very high confidence: Technical evidence plus intelligence confirmation
Public attribution typically requires high or very high confidence. Intelligence services may act on lower confidence internally.
[screen 9]
Plausible Deniability by Design
Actors deliberately obscure attribution:
- Proxy operations: Using cutouts and intermediaries
- Technical obfuscation: VPNs, stolen credentials, compromised infrastructure
- False flags: Leaving misleading evidence pointing to other actors
- Linguistic camouflage: Hiring native speakers or using better translation
- Narrative laundering: Multiple steps between origin and target audience
- Operational security: Compartmentalization, need-to-know access
These strategies make attribution resource-intensive and time-consuming.
[screen 10]
The False Flag Problem
Sophisticated actors can impersonate others:
- Using language patterns mimicking different groups
- Leaving technical traces pointing elsewhere
- Promoting narratives that seem to benefit other actors
- Creating content that appears to be domestic rather than foreign
“This looks like Actor X” doesn’t guarantee it is Actor X. Attribution requires ruling out false flag possibilities.
[screen 11]
Platform vs Government Attribution
Different actors have different attribution capabilities:
Platforms: Access to technical data (IPs, devices, payments, coordination patterns) but limited geopolitical intelligence
Intelligence agencies: Broader intelligence context, but much remains classified
Researchers: Public data analysis, but limited access to account-level data
Governments: Can combine intelligence and platform data, but political considerations affect public statements
Most confident attributions involve cooperation across these actors.
[screen 12]
The Political Dimension
Attribution isn’t just technical - it’s political:
- Diplomatic consequences: Public attribution strains international relations
- Intelligence sources: Revealing evidence might expose capabilities
- Domestic politics: Attribution claims might appear politically motivated
- Alliances: Coordinating attribution with allies takes time
- Standard of evidence: Higher for public attribution than internal intelligence
These factors explain why attribution is sometimes delayed or qualified despite strong evidence.
[screen 13]
Time Pressure vs Confidence
Attribution faces competing pressures:
Speed: Swift attribution can disrupt operations and warn public
Confidence: Thorough analysis takes time
Public demand: Media and citizens want answers quickly
Adversary adaptation: Delay allows actors to cover tracks or adapt
This tension means early statements may be qualified (“consistent with” rather than “definitely”), with higher confidence attributions following later.
[screen 14]
Collective Attribution
Increasingly, attribution is collaborative:
- Allied intelligence sharing: NATO, Five Eyes, EU cooperation
- Joint public statements: Multiple governments attributing together
- Platform coordination: Sharing information about networks
- Researcher networks: Independent analysis that governments can reference
Collective attribution increases credibility and reduces isolation of targeted states.
[screen 15]
Attribution Frameworks
Organizations have developed attribution approaches:
EUvsDisinfo: Tracks pro-Kremlin disinformation
DFRLab, ACLED: Research organizations documenting operations
GEC, EEAS: Government agencies analyzing foreign influence
Platform transparency reports: Regular disclosures of removed networks
These frameworks provide systematic documentation that supports attribution efforts.
[screen 16]
When Attribution Is Impossible
Sometimes, despite evidence of manipulation, definitive attribution proves impossible:
- Insufficient technical evidence
- Successful operational security by actors
- Multiple potential actors with similar motivations
- Ambiguity about state direction vs independent actors
Inability to attribute doesn’t mean manipulation isn’t occurring. Response can focus on behavior (coordinated inauthentic behavior) rather than attribution.
[screen 17]
The Value of Partial Attribution
Even incomplete attribution provides value:
“Consistent with Russian tactics” warns audiences without requiring full confidence
“State-linked actors” indicates government involvement without specifying which government
“Foreign coordination” distinguishes from domestic activity without naming actor
Qualified attribution enables response while acknowledging uncertainty.