Also, they aren’t technically criminals if the attackers are state-sponsored and conducting an act of war. “Threat-actor” seems exactly like the type of legalese a government relies on when crafting the story around its own retaliation or justification for future aggression. I think it’s just entered the lexicon when talking about these types of incidents.
https://en.m.wikipedia.org/wiki/Threat_actor
I agree the jargon isn’t great, I’ve seen “attacker” and “malicious user” used in pentest reports and neither of those seems quite right either.