From the Introduction: "In the shadowy world of cyberespionage, the game of who is to blame can be complicated and fraught with politics, turf battles, national security and geopolitical concerns. Cyber attribution occurs when indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) from the entire cyber kill chain are associated with an advanced persistent threat or APT [advanced persistent threat] group. Toward the end of the Obama administration, the Department of Homeland Security published a comprehensive list of the tools, techniques and indicators of compromise, called Grizzly Steppe, to out the Russians and their attempts to influence the 2016 presidential election. While the U.S. government has many sources of cyber threat intelligence, deriving from multiple government agencies and private-sector organizations, there is no single approach or framework that extrapolates across domains to derive cyber attribution, definitively and especially as it relates to the unclassified space. [...] All of that said, the most sophisticated and exhaustive approaches to attribution are often outside the means of most companies, and from the perspective of the government or its intelligence organizations, is usually classified or sensitive. The U.S. government remains compartmentalized in its approach to cybersecurity with no single source of 'unassailable truth.' This fact, adversely impacts our policy, geopolitical and even military responses. Senior government officials, heads of agencies, corporate executives, investors, and legislators alike share a keen and enduring interest in cyber attribution to support their decision making."
Office of the Director of National Intelligence: https://www.dni.gov/