THE internet has changed all sorts of industries, from book delivery to newspaper publishing to pornography. And spying is no exception. On November 23rd Symantec, an American anti-virus firm, announced the discovery of Regin, a complicated piece of malicious software that has been lurking on computer networks in Russia and Saudi Arabia (among other places), stealing whatever secrets have come its way. Only a couple of weeks before, Kaspersky Labs, another anti-virus firm, revealed the existence of DarkHotel, another piece of espionage-ware that targeted corporate bosses and other bigwigs staying at hotels in Asia. Both pieces of software are slick, sophisticated and complicated. For that reason, the anti-virus firms think they are the work of nation states. DarkHotel has been tentatively pinned on South Korea. Regin is thought to be the work of the British, possibly with help from the Americans. But how do anti-virus researchers know where viruses come from?

The answer is that they don't, or at least, not for certain. Indeed, one of the attractions of computerised spying (for the spooks at least) is that it is much more difficult to figure out who is behind any given campaign. Unlike human spies, computer code does not speak with an accent; nor does it have a cover story that can be investigated. So anti-virus researchers must rely on inference, guesswork and what small clues they can scrape together. One of the most famous bits of nation-state malware, Stuxnet, was used to sabotage centrifuges used by Iran's nuclear programme. Suspicion naturally fell on Israel, which is the region's most technologically advanced nation, and which has long feared that Iran is working on a nuclear bomb (there have been rumours that Israel has mulled air strikes against Iranian factories). America, as Israel's chief ally and one of Iran's chief opponents, fell under suspicion as well. Neither country has ever admitted to working on Stuxnet. But American officials have never denied it, either.

Sometimes the code itself can contain clues. DarkHotel's targets, for instance, were mostly in Asia (the largest number of targets were from India, Japan and China). The computer code contained Korean characters, as well as the online alias of a South Korean programmer. One of Regin's modules is called "LEGSPIN", a cricketing term, which might narrow the field of suspects. And the researchers who analysed it have pointed out that Regin seems to very similar (or perhaps even identical) to the software used in an attack on Belgacom, a big Belgian telecommunications firm whose clients include the main institutions of the European Union. Leaks from Edward Snowden, a former American spy, have linked that attack to the British.

But all this is tentative. The spies presumably know that their opponents (as well as civilian security researchers) will try to reverse-engineer any computerised bugs they stumble across. So either the clues that do remain were included accidentally, or they are deliberately designed to deceive. Mikko Hypponen, the boss of F-secure, a Finnish anti-virus firm, points out that early Russian attempts at computerised espionage were deliberately designed to look like they came from China. As always with cases of spying and espionage, nothing is ever certain.