“Who did it?” is one of the first questions executives ask after a cyber incident. In medical device ecosystems—devices, gateways, cloud backends, service tools—that question comes up fast because the stakes are real: patient safety, uptime, PHI/PII exposure, and regulatory scrutiny.
Here’s the uncomfortable truth: cyber attack attribution is often uncertain, and attackers work hard to keep it that way. The good news is you don’t need courtroom-level attribution to take the actions that actually reduce risk.
This post explains why attribution is difficult, what evidence is typically reliable, and how medical device manufacturers can respond in a way that strengthens security and supports FDA-aligned, lifecycle cybersecurity.
What “attribution” means in cybersecurity
Attribution is the process of linking an intrusion or malicious activity to a specific actor (a person, group, or state sponsor) with an explicit level of confidence. In practice, there are two different “attribution goals,” and confusing them leads to bad decisions:
- Operational attribution: What happened, how it happened, and what to do next (contain, eradicate, recover, prevent recurrence).
- Strategic/legal attribution: Who did it and why (often requiring intelligence sources, corroboration, and legal thresholds).
Most medical device manufacturers should optimize for operational attribution first. It produces faster containment, better corrective actions, and cleaner evidence for risk management.
Why cyber attribution is so hard
1) Attackers borrow each other’s tools and techniques
Many adversaries reuse the same malware families, open-source tooling, exploit kits, and infrastructure. That creates a problem: the artifacts you can see may point to a “style,” not a unique actor. This is one reason defenders increasingly talk in terms of TTPs (tactics, techniques, and procedures) rather than assuming a specific group. MITRE ATT&CK exists to catalog those behaviors across the attack lifecycle. MITRE ATT&CK
2) “False flags” are real (and easier in cyber than in the physical world)
Adversaries can intentionally plant misleading indicators—language settings, compile times, code snippets, infrastructure patterns—to push investigators toward the wrong conclusion. Research on cyber false flags notes how misdirection tactics can lead to misattribution and poor response decisions. SpringerOpen: Under false flag
3) Your visibility is usually incomplete
In real incidents, logs are missing, clocks don’t match, endpoints were wiped, or a third-party hosted component won’t provide full telemetry. In MedTech ecosystems, the complexity multiplies: on-prem device networks, customer-controlled infrastructure, and cloud services all generate different evidence trails.
4) Infrastructure doesn’t equal identity
IP addresses, domains, and servers are rented, compromised, chained through proxies, or hosted in regions intended to confuse. “It came from X country” is rarely a defensible conclusion from network artifacts alone.
What evidence is most useful (and usually defensible)
You may not be able to prove who did it, but you can often prove:
- What was affected: systems, device models, cloud services, accounts, and data types
- How access was achieved: initial access vector (phishing, exposed service, stolen creds, supply chain)
- What the attacker did: TTPs, privilege escalation paths, lateral movement, exfiltration attempts
- What you observed: IOCs, logs, hashes, process trees, authentication events, network flows
CISA’s incident response guidance emphasizes practical investigation steps like collecting indicators and searching across host and network artifacts—exactly the kind of work that supports operational attribution. CISA incident response technical approaches
Medical device cybersecurity: why attribution is usually the wrong primary goal
For device manufacturers, the most important question is rarely “Which nation-state was it?” It’s usually:
- Can we contain it without compromising patient safety?
- Do we need a field action, a configuration change, a patch, or compensating controls?
- What do we tell customers so they can reduce exposure now?
- How do we prevent recurrence through secure-by-design improvements?
Those actions map cleanly to FDA’s lifecycle expectations: secure product development, risk management, transparency, and postmarket response maturity.
A practical approach: “attribution with confidence levels”
If you do need attribution language (for executives, customers, or external reporting), use confidence levels and keep it evidence-led:
- High confidence: multiple independent sources corroborate (rare without government/CTI support)
- Moderate confidence: strong technical indicators, consistent TTP alignment, some corroboration
- Low confidence: limited indicators; plausible but not provable
Rule of thumb: don’t make claims stronger than your evidence. “Observed TTPs consistent with…” is usually safer and more accurate than “It was Group X.”
What to do during an incident (MedTech-focused playbook)
1) Stabilize safety and clinical operations
- Confirm patient safety impact and safe modes
- Coordinate with clinical engineering and customer IT for containment that won’t break care delivery
2) Preserve evidence early
- Collect logs, network captures, authentication events, and relevant cloud audit trails
- Document timelines and system time sources (NTP drift matters more than you think)
3) Map observed behavior to TTPs
Using ATT&CK mapping helps you describe behavior consistently, identify defensive gaps, and prioritize detections. CISA publishes practical guidance on ATT&CK mapping for defenders. CISA: Best Practices for ATT&CK Mapping (PDF)
4) Take action without waiting for “who”
- Contain: block IOCs, rotate creds, segment, disable exposed services
- Eradicate: remove persistence, rebuild as needed, validate configurations
- Recover: restore services safely and monitor for re-entry
- Prevent: patch, harden, improve logging, adjust architecture where needed
5) Feed learnings back into your lifecycle program
- Update threat models and secure design requirements
- Improve secure update/patch pipelines
- Refine postmarket monitoring and customer communications
If you want help translating incidents and threat intel into FDA-ready evidence, start with medical device threat modeling and a mature postmarket cybersecurity program.
Key takeaways
- Cyber attribution is hard because attackers reuse tools, hide behind infrastructure, and deliberately plant false flags.
- Medical device manufacturers should prioritize operational attribution: what happened, how it happened, and what reduces risk.
- Use confidence levels and evidence-led language; avoid over-claiming.
- Map behaviors to TTPs (ATT&CK) to drive containment, detection, and long-term engineering fixes.
FAQs
Why is attribution in cyber attacks so difficult?
Attackers can disguise origin through proxies and compromised infrastructure, reuse common tools, and plant misleading indicators (“false flags”). Investigators also often have incomplete logging or visibility.
What is a “false flag” in cybersecurity?
A false flag is a tactic where an attacker intentionally plants artifacts or indicators to mislead investigators into blaming the wrong actor. Research shows cyber false flags are easier to execute than physical-world misdirection and can cause misattribution. SpringerOpen: Under false flag
Do we need to identify the threat actor to respond effectively?
Usually not. You can contain and remediate based on observed behavior (IOCs and TTPs), root cause, and exposed attack surfaces. Waiting for definitive attribution often delays the actions that reduce risk.
How should medical device manufacturers talk about attribution with customers?
Stick to observed facts (impacted components, timelines, IOCs, mitigations) and use confidence language if you mention suspected actors. “Consistent with” is typically safer than “confirmed.”
How does MITRE ATT&CK help when attribution is uncertain?
ATT&CK helps you describe what the attacker did (behaviors and techniques) without needing to name the actor. That supports detection engineering, threat hunting, and closing defensive gaps. MITRE ATT&CK
What’s the MedTech best practice: attribution or risk reduction?
Risk reduction. Focus on containment, secure-by-design fixes, improved monitoring, and postmarket readiness—then let strategic attribution be a secondary outcome when evidence supports it.
Conclusion
Attribution makes headlines, but risk reduction keeps products safe. For medical device manufacturers, the most defensible approach is evidence-led: preserve data, map behaviors to TTPs, act quickly on containment and remediation, and feed lessons back into secure development and postmarket processes.
Book a Discovery Session
If you need help building an FDA-aligned incident response and postmarket cybersecurity program—or turning threat modeling and testing into strong submission evidence—let’s talk.