[Mariner]

A truly sophisticated state actor, or expert private party, could make it look like the hack came from anywhere they wanted.

Your computer included.

[ThunderSleeps]

Agreed, if all they have is IP addresses... Those can be easily spoofed in a packet.

You just have to get the traffic going through a router you control. The router makes it look like the victim system is being accessed from a given IP address - any IP address you pick. The router handles the translation to the real address and sends the packets literally anywhere in the world.

Even MAC addresses can be spoofed.

[delete306]

Identifying the source doesn’t require tracing the original attack vector backwards.

For argument’s sake, let’s assume a made up country we’ll call Wussia decides they want to conduct some information warfare. The Wussians have some variant of human command & control that directs some asset to infiltrate networks of some other sovereign nation we’ll call “America” to retrieve information for whatever reason. That Wussian C&C doesn’t operate in a black hole. They have a budget, a geographic footprint, administrative overhead, in other words they’re connected to all sorts of other nodes within the Wussian government.

Given that broader network, should “America” become aware of the intrusion, it might simply be a matter of deploying “America’s” own packages through some vector into one of those nodes and sniffing around for any information indicating Wussian responsibility for the initial intrusion. They may do this at multiple nodes in multiple countries with whom “America” has a history.

Purely hypothetical.