Who was responsible for WikiSaudiLeaks? Why was the campaign not attributed? What can this curious case tell us about the past and future of attributing computer network operations in general, and covert action specifically?
Digital covert action has been on the rise throughout the 2010s, with hack-and-leak operations making up a significant share. The list of high-profile campaigns and operations is long, and ranges from Stuxnet to Shamoon, from Sony to Wannacry, and from the Kiev blackouts to NotPetya. All these major cases have one core feature in common: governments, and in many cases independent researchers from multiple different outfits, have attributed these cases with high confidence or even certainty to specific actors. Yet WikiSaudiLeaks stands out: the episode, so far, has not allowed any security company, nonprofit, or government to make a justified and credible attribution claim. The case is also curiously neglected in the literature. Both absences are all the more remarkable given that the covert action has generated an extraordinary amount of press coverage, with hundreds of stories in major outlets.