If your company just got pwned, you'll probably be thankful to have an excuse to tell your investors that it was a Russian/etc "state actor" and therefore they should feel sympathy for you being the victim of a foe that far outclasses your assuredly reasonable and competent security measures.
Looks a lot better than getting pwned by some jackass American teenager. So if the attack came from a Russian IP, or used some Cyrillic characters or something like that, there's a "face saving" incentive to take that probable misdirection at face value.
This is right. So many incentives are stacked in favor of making false attributions, specifically to enemy state actors:
- real attacker doesn't want to get caught
- victim doesn't want to admit being pwned by a script kiddy or petty criminal
- military-industrial complex needs foreign threat inflation to stay in business
- media loves the intrigue
The pushback would come from the foreign state being falsely slandered, but they never get a say anyways.