Identifying the source doesn’t require tracing the original attack vector backwards.
For argument’s sake, let’s assume a made up country we’ll call Wussia decides they want to conduct some information warfare. The Wussians have some variant of human command & control that directs some asset to infiltrate networks of some other sovereign nation we’ll call “America” to retrieve information for whatever reason. That Wussian C&C doesn’t operate in a black hole. They have a budget, a geographic footprint, administrative overhead, in other words they’re connected to all sorts of other nodes within the Wussian government.
Given that broader network, should “America” become aware of the intrusion, it might simply be a matter of deploying “America’s” own packages through some vector into one of those nodes and sniffing around for any information indicating Wussian responsibility for the initial intrusion. They may do this at multiple nodes in multiple countries with whom “America” has a history.
Purely hypothetical.
Just hypothetically, of course.