Defcon2022_Attribution.pdf (3 MB)

The attribution-bias presentation uses OlympicDestroyer as a case study in misleading technical evidence and false attribution. It notes that OlympicDestroyer contained artifacts that resembled Lazarus or Bluenoroff wiper malware, including event-related filenames and RICH-header similarities, but argues those clues were likely copied or manipulated to mislead analysts. The talk highlights how malware authors can plant technical markers, repurpose compiler artifacts, and exploit analyst bias, making careful evidence handling essential in threat-intelligence attribution.