I'm not saying MS isn't the worst. But there are plenty of linux exploits. An expert IT person might keep that up to date but your average business, government agency, hospital is not up to it.
> The Board concludes that Microsoft’s security culture was inadequate. The Board reaches this conclusion based on:
> Microsoft’s failure to detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed
> Microsoft’s failure to detect a compromise of an employee’s laptop from a recently acquired company prior to allowing it to connect to Microsoft’s corporate network in 2021
So I wouldn't call the xz incident as linux specific.
2. I don't know why you oppose Microsoft, a provider of online services in the cloud with Linux, a small piece of software or an OS family depending on your definition.
This is apples vs oranges comparison.
(1) How do you tell a state actor from just hackers looking to make money?
(2) Is this a solvable problem?
I can't imagine most state agencies, hospitals, doctors offices, small businesses, being able to afford good experienced IT staff. I can't imagine outsourcing it to nearly any company and trusting that company. Exceptions might be Google or Apple but neither company provides more than email/docs/spreadsheets. They don't supply bookkeeping, appointments, medical record management, etc... and AFAICT, all the suppliers for those kinds of services have terrible security practices. And, even if Apple and Google could do a good job there's still social engineering.
the recent Ministry of Defence, UK hack was blamed on China, but if you actually dig into it that’s just a hypothesis and it really could have been anyone. If this was happening straight after 9/11 we’d be blaming terrorists, etc.
Since it allows much more fine grained control over data and resource access than contemporary popular systems, https://en.wikipedia.org/wiki/Capability-based_security and the concept of "hollowing out the attack surface with the https://en.wikipedia.org/wiki/Principle_of_least_privilege" can't be mentioned often enough.
Some specific projects to mention are https://en.wikipedia.org/wiki/Fuchsia_(operating_system) ,https://en.wikipedia.org/wiki/Genode and https://en.wikipedia.org/wiki/Qubes_OS
If these don't make it to the mainstream, it is the responsibility of FAANG companies that at least the concepts/mechanisms contained in them do, in other systems. To provide the world with a secure computing substrate.
The benefits have been greatly oversold by BigTech multimillion $$$ sales teams. They are lots of stories of bribery involving these contracts.
Assuming the source of the attribution is acting with pure intentions, it is usually a preponderance of (mostly circumstantial) evidence. Does the malware and MO look similar to past known attacks? Did they leave any localized strings in the binary file, if yes does that nation have an interest in hacking the target? Does the malware use a stack of 0-days and labour-intensive obfuscation techniques (indicating a large amount of resources)? Does the whole picture make sense when you put it all together?
The above is in an ideal world, in reality almost all attributions are political and based on almost nothing. Even if they were based on some other intelligence source, how could a random member of the public verify that?
On top of the difficulty of gathering evidence, there is an incentive alignment between the heads of hacked organizations and intelligence agencies. The hacked company will look better as the victim of a "cyberattack" or a "chinese cyberattack" then as the victim of "random.ransomware.0238023". The intelligence agency can get more funding and PR by proclaiming the same.
Why do you think those governments are not just trying to make money? You should check how much crypto DPRK made from ransomware. Krebs and others wrote about it
