Originally Posted by
b1lanc
Those pointers can easily be forged. The shear amount of forensic investigation that is involved in determining the source (which can often never be definitively determined) is beyond the scope of one single country or all 'cybersecurity' firms in collaboration. The hosting company may simply have been the first stop in data delivery to unknown parties in unknown countries. Examining the script is also likely non-conclusive. Professionals put inferences in malware to deliberately deceive and obfuscate the originator.
Yes, but IMHO, the
first thing they should have done was to secure that VPS and check if it contains any leads to where it was accessed from or where it was forwarding the data to.
Waiting for several days and leaving it up and online doesn't sound like there was much of an investigation in the first place.